Skip to content


index: fix out-of-bounds read with invalid index entry prefix length
Browse files Browse the repository at this point in the history
The index format in version 4 has prefix-compressed entries, where every
index entry can compress its path by using a path prefix of the previous
entry. Since implmenting support for this index format version in commit
5625d86 (index: support index v4, 2016-05-17), though, we do not
correctly verify that the prefix length that we want to reuse is
actually smaller or equal to the amount of characters than the length of
the previous index entry's path. This can lead to a an integer underflow
and subsequently to an out-of-bounds read.

Fix this by verifying that the prefix is actually smaller than the
previous entry's path length.

Reported-by: Krishna Ram Prakash R <>
Reported-by: Vivek Parikh <>
  • Loading branch information
pks-t committed Mar 10, 2018
1 parent 58a6fe9 commit 3207ddb
Showing 1 changed file with 10 additions and 9 deletions.
19 changes: 10 additions & 9 deletions src/index.c
Original file line number Diff line number Diff line change
Expand Up @@ -2365,17 +2365,18 @@ static int read_entry(
entry_size = index_entry_size(path_length, 0, entry.flags);
entry.path = (char *)path_ptr;
} else {
size_t varint_len;
size_t strip_len = git_decode_varint((const unsigned char *)path_ptr,
size_t last_len = strlen(last);
size_t prefix_len = last_len - strip_len;
size_t suffix_len = strlen(path_ptr + varint_len);
size_t path_len;

if (varint_len == 0)
size_t varint_len, last_len, prefix_len, suffix_len, path_len;
uintmax_t strip_len;

strip_len = git_decode_varint((const unsigned char *)path_ptr, &varint_len);
last_len = strlen(last);

if (varint_len == 0 || last_len < strip_len)
return index_error_invalid("incorrect prefix length");

prefix_len = last_len - strip_len;
suffix_len = strlen(path_ptr + varint_len);

GITERR_CHECK_ALLOC_ADD(&path_len, prefix_len, suffix_len);
GITERR_CHECK_ALLOC_ADD(&path_len, path_len, 1);
tmp_path = git__malloc(path_len);
Expand Down

0 comments on commit 3207ddb

Please sign in to comment.