From 21870efc4aab4732ba2c422ef116597c54e4a8ec Mon Sep 17 00:00:00 2001 From: Jann Horn Date: Thu, 30 Aug 2018 03:09:45 -0400 Subject: [PATCH] patch-delta: fix oob read If `cmd` is in the range [0x01,0x7f] and `cmd > top-data`, the `memcpy(out, data, cmd)` can copy out-of-bounds data from after `delta_buf` into `dst_buf`. This is not an exploitable bug because triggering the bug increments the `data` pointer beyond `top`, causing the `data != top` sanity check after the loop to trigger and discard the destination buffer - which means that the result of the out-of-bounds read is never used for anything. Signed-off-by: Jann Horn Signed-off-by: Jeff King Reviewed-by: Nicolas Pitre Signed-off-by: Junio C Hamano --- patch-delta.c | 2 +- t/t5303-pack-corruption-resilience.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/patch-delta.c b/patch-delta.c index 56e0a5ede2..b937afd2c9 100644 --- a/patch-delta.c +++ b/patch-delta.c @@ -56,7 +56,7 @@ void *patch_delta(const void *src_buf, unsigned long src_size, out += cp_size; size -= cp_size; } else if (cmd) { - if (cmd > size) + if (cmd > size || cmd > top - data) break; memcpy(out, data, cmd); out += cmd; diff --git a/t/t5303-pack-corruption-resilience.sh b/t/t5303-pack-corruption-resilience.sh index 912e659acf..7114c31ade 100755 --- a/t/t5303-pack-corruption-resilience.sh +++ b/t/t5303-pack-corruption-resilience.sh @@ -341,7 +341,7 @@ test_expect_success \ # \0 - empty base # \2 - two bytes in result # \2 - two literal bytes (we are short one) -test_expect_failure \ +test_expect_success \ 'apply delta with too few literal bytes' \ 'printf "\0\2\2X" > truncated_delta && test_must_fail test-tool delta -p /dev/null truncated_delta /dev/null'