mirror/ git
1
0
Fork 0
mirror of https://github.com/git/git.git synced 2024-05-09 10:16:08 +02:00
Code

packfile: avoid overflowing shift during decode 

unpack_object_header_buffer() attempts to protect against overflowing
left shifts, but the limit of the shift amount should not be the size of
the variable being shifted. It should be the size minus the size of its
contents. Fix that accordingly.

This was noticed at $DAYJOB by a fuzzer running internally.

Signed-off-by: Jonathan Tan <jonathantanmy@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
Jonathan Tan 2021-11-10 15:40:33 -08:00 committed by Junio C Hamano
parent 5fbd2fc599
commit 34de5b8eac
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
packfile.c
View File

@ -1067,7 +1067,7 @@ unsigned long unpack_object_header_buffer(const unsigned char *buf,
size = c & 15;
shift = 4;
while (c & 0x80) {
if (len <= used || bitsizeof(long) <= shift) {
if (len <= used || (bitsizeof(long) - 7) <= shift) {
error("bad object header");
size = used = 0;
break;