We found a read-out-of-bounds parsing a malformed object file using the last version of libgit2. To reproduce, first compile libgit2 and its examples with AddressSanitizer support. Then:
=9796==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000342b4 at pc 0x7f36f24005cf bp 0x7ffd9bc2cb60 sp 0x7ffd9bc2cb50
READ of size 1 at 0x6020000342b4 thread T0
#0 0x7f36f24005ce in git_oid_nfmt /home/g/Work/Code/libgit2-master/src/oid.c:82
#1 0x7f36f2400901 in git_oid_tostr /home/g/Work/Code/libgit2-master/src/oid.c:127
#2 0x402f22 in show_tree /home/g/Work/Code/libgit2-master/examples/cat-file.c:58
#3 0x403735 in main /home/g/Work/Code/libgit2-master/examples/cat-file.c:178
#4 0x7f36f1d03290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
#5 0x401919 in _start (/home/g/Work/Code/libgit2-master/examples/cat-file+0x401919)
0x6020000342b4 is located 0 bytes to the right of 4-byte region [0x6020000342b0,0x6020000342b4)
allocated by thread T0 here:
#0 0x7f36f2868e60 in __interceptor_malloc /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:62
#1 0x7f36f23f4af7 in git__malloc /home/g/Work/Code/libgit2-master/src/util.h:162
#2 0x7f36f23f5d1e in inflate_tail /home/g/Work/Code/libgit2-master/src/odb_loose.c:275
#3 0x7f36f23f64a4 in inflate_disk_obj /home/g/Work/Code/libgit2-master/src/odb_loose.c:377
#4 0x7f36f23f687f in read_loose /home/g/Work/Code/libgit2-master/src/odb_loose.c:417
#5 0x7f36f23f7b2e in loose_backend__read /home/g/Work/Code/libgit2-master/src/odb_loose.c:642
#6 0x7f36f23f26f1 in odb_read_1 /home/g/Work/Code/libgit2-master/src/odb.c:996
#7 0x7f36f23f293b in git_odb_read /home/g/Work/Code/libgit2-master/src/odb.c:1028
#8 0x7f36f23ec5ca in git_object_lookup_prefix /home/g/Work/Code/libgit2-master/src/object.c:167
#9 0x7f36f24708f9 in maybe_sha_or_abbrev /home/g/Work/Code/libgit2-master/src/revparse.c:24
#10 0x7f36f2470994 in maybe_sha /home/g/Work/Code/libgit2-master/src/revparse.c:34
#11 0x7f36f2470cf6 in revparse_lookup_object /home/g/Work/Code/libgit2-master/src/revparse.c:96
#12 0x7f36f2473b1c in ensure_base_rev_loaded /home/g/Work/Code/libgit2-master/src/revparse.c:625
#13 0x7f36f24744f6 in revparse__ext /home/g/Work/Code/libgit2-master/src/revparse.c:802
#14 0x7f36f2474854 in git_revparse_ext /home/g/Work/Code/libgit2-master/src/revparse.c:840
#15 0x7f36f2474a8b in git_revparse_single /home/g/Work/Code/libgit2-master/src/revparse.c:863
#16 0x40356c in main /home/g/Work/Code/libgit2-master/examples/cat-file.c:136
#17 0x7f36f1d03290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
This issues was found using QuickFuzz.
Regards,
The text was updated successfully, but these errors were encountered:
Hi,
We found a read-out-of-bounds parsing a malformed object file using the last version of libgit2. To reproduce, first compile libgit2 and its examples with AddressSanitizer support. Then:
Finally, you can trigger the bug using cat-file:
The AddressSanitizer report is here:
This issues was found using QuickFuzz.
Regards,
The text was updated successfully, but these errors were encountered: