Skip to content
Permalink
Browse files Browse the repository at this point in the history
delta: fix overflow when computing limit
When checking whether a delta base offset and length fit into the base
we have in memory already, we can trigger an overflow which breaks the
check. This would subsequently result in us reading memory from out of
bounds of the base.

The issue is easily fixed by checking for overflow when adding `off` and
`len`, thus guaranteeting that we are never indexing beyond `base_len`.
This corresponds to the git patch 8960844a7 (check patch_delta bounds
more carefully, 2006-04-07), which adds these overflow checks.

Reported-by: Riccardo Schirone <rschiron@redhat.com>
  • Loading branch information
pks-t committed Jul 5, 2018
1 parent 9844d38 commit c157711
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions src/delta.c
Expand Up @@ -566,7 +566,7 @@ int git_delta_apply(
unsigned char cmd = *delta++;
if (cmd & 0x80) {
/* cmd is a copy instruction; copy from the base. */
size_t off = 0, len = 0;
size_t off = 0, len = 0, end;

#define ADD_DELTA(o, shift) { if (delta < delta_end) (o) |= ((unsigned) *delta++ << shift); else goto fail; }
if (cmd & 0x01) ADD_DELTA(off, 0UL);
Expand All @@ -580,8 +580,10 @@ int git_delta_apply(
if (!len) len = 0x10000;
#undef ADD_DELTA

if (base_len < off + len || res_sz < len)
if (GIT_ADD_SIZET_OVERFLOW(&end, off, len) ||
base_len < end || res_sz < len)
goto fail;

memcpy(res_dp, base + off, len);
res_dp += len;
res_sz -= len;
Expand Down

0 comments on commit c157711

Please sign in to comment.