Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

patch_parse: fixes for fuzzing errors #5276

Merged
merged 4 commits into from Oct 29, 2019
Merged

patch_parse: fixes for fuzzing errors #5276

merged 4 commits into from Oct 29, 2019

Conversation

pks-t
Copy link
Member

@pks-t pks-t commented Oct 19, 2019

These are the first results of #5269.

@pks-t
patch_parse: reject patches with multiple old/new paths
223e7e4 
It's currently possible to have patches with multiple old path name
headers. As we didn't check for this case, this resulted in a memory
leak when overwriting the old old path with the new old path because we
simply discarded the old pointer.

Instead of fixing this by free'ing the old pointer, we should reject
such patches altogether. It doesn't make any sense for the "---" or
"+++" markers to occur multiple times within a patch n the first place.
This also implicitly fixes the memory leak.
@pks-t
patch_parse: reject empty path names
6c6c15e 
When parsing patch headers, we currently accept empty path names just
fine, e.g. a line "--- \n" would be parsed as the empty filename. This
is not a valid patch format and may cause `NULL` pointer accesses at a
later place as `git_buf_detach` will return `NULL` in that case.

Reject such patches as malformed with a nice error message.
@pks-t
patch_parse: fix out-of-bounds read with No-NL lines
468e3dd 
We've got two locations where we copy lines into the patch. The first
one is when copying normal " ", "-" or "+" lines, while the second
location gets executed when we copy "\ No newline at end of file" lines.
While the first one correctly uses `git__strndup` to copy only until the
newline, the other one doesn't. Thus, if the line occurs at the end of
the patch and if there is no terminating NUL character, then it may
result in an out-of-bounds read.

Fix the issue by using `git__strndup`, as was already done in the other
location. Furthermore, add allocation checks to both locations to detect
out-of-memory situations.
@pks-t pks-t force-pushed the pks/patch-fuzzing-fixes branch 2 times, most recently from dd207f5 to 3cfd4ac Compare October 21, 2019 17:08
@pks-t
patch_parse: detect overflow when calculating old/new line position
37141ff 
When the patch contains lines close to INT_MAX, then it may happen that
we end up with an integer overflow when calculating the line of the
current diff hunk. Reject such patches as unreasonable to avoid the
integer overflow.

As the calculation is performed on integers, we introduce two new
helpers `git__add_int_overflow` and `git__sub_int_overflow` that perform
the integer overflow check in a generic way.
@pks-t
Copy link
Member Author

pks-t commented Oct 29, 2019

I'm going ahead and merge this. The fixes should be rather obvious, and these bugs currently hinder progress of the fuzzer.

@pks-t pks-t merged commit 2a7d6de into libgit2:master Oct 29, 2019
@pks-t pks-t deleted the pks/patch-fuzzing-fixes branch October 29, 2019 06:52
@snyk-bot snyk-bot mentioned this pull request Feb 23, 2020
Open
@snyk-bot snyk-bot mentioned this pull request Mar 12, 2020
Merged
@snyk-bot snyk-bot mentioned this pull request Apr 22, 2020
Open
@snyk-bot snyk-bot mentioned this pull request May 5, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@pks-t