mirror of
https://github.com/git/git.git
synced 2024-11-20 04:24:01 +01:00
check patch_delta bounds more carefully
Let's avoid going south with invalid delta data. Signed-off-by: Nicolas Pitre <nico@cam.org> Signed-off-by: Junio C Hamano <junkio@cox.net>
This commit is contained in:
parent
7d6c447145
commit
8960844a78
5
delta.h
5
delta.h
@ -16,7 +16,8 @@ extern void *patch_delta(void *src_buf, unsigned long src_size,
|
||||
* This must be called twice on the delta data buffer, first to get the
|
||||
* expected reference buffer size, and again to get the result buffer size.
|
||||
*/
|
||||
static inline unsigned long get_delta_hdr_size(const unsigned char **datap)
|
||||
static inline unsigned long get_delta_hdr_size(const unsigned char **datap,
|
||||
const unsigned char *top)
|
||||
{
|
||||
const unsigned char *data = *datap;
|
||||
unsigned char cmd;
|
||||
@ -26,7 +27,7 @@ static inline unsigned long get_delta_hdr_size(const unsigned char **datap)
|
||||
cmd = *data++;
|
||||
size |= (cmd & ~0x80) << i;
|
||||
i += 7;
|
||||
} while (cmd & 0x80);
|
||||
} while (cmd & 0x80 && data < top);
|
||||
*datap = data;
|
||||
return size;
|
||||
}
|
||||
|
@ -28,12 +28,12 @@ void *patch_delta(void *src_buf, unsigned long src_size,
|
||||
top = delta_buf + delta_size;
|
||||
|
||||
/* make sure the orig file size matches what we expect */
|
||||
size = get_delta_hdr_size(&data);
|
||||
size = get_delta_hdr_size(&data, top);
|
||||
if (size != src_size)
|
||||
return NULL;
|
||||
|
||||
/* now the result size */
|
||||
size = get_delta_hdr_size(&data);
|
||||
size = get_delta_hdr_size(&data, top);
|
||||
dst_buf = malloc(size + 1);
|
||||
if (!dst_buf)
|
||||
return NULL;
|
||||
@ -52,21 +52,37 @@ void *patch_delta(void *src_buf, unsigned long src_size,
|
||||
if (cmd & 0x20) cp_size |= (*data++ << 8);
|
||||
if (cmd & 0x40) cp_size |= (*data++ << 16);
|
||||
if (cp_size == 0) cp_size = 0x10000;
|
||||
if (cp_off + cp_size < cp_size ||
|
||||
cp_off + cp_size > src_size ||
|
||||
cp_size > size)
|
||||
goto bad;
|
||||
memcpy(out, src_buf + cp_off, cp_size);
|
||||
out += cp_size;
|
||||
} else {
|
||||
size -= cp_size;
|
||||
} else if (cmd) {
|
||||
if (cmd > size)
|
||||
goto bad;
|
||||
memcpy(out, data, cmd);
|
||||
out += cmd;
|
||||
data += cmd;
|
||||
size -= cmd;
|
||||
} else {
|
||||
/*
|
||||
* cmd == 0 is reserved for future encoding
|
||||
* extensions. In the mean time we must fail when
|
||||
* encountering them (might be data corruption).
|
||||
*/
|
||||
goto bad;
|
||||
}
|
||||
}
|
||||
|
||||
/* sanity check */
|
||||
if (data != top || out - dst_buf != size) {
|
||||
if (data != top || size != 0) {
|
||||
bad:
|
||||
free(dst_buf);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
*dst_size = size;
|
||||
*dst_size = out - dst_buf;
|
||||
return dst_buf;
|
||||
}
|
||||
|
@ -804,10 +804,12 @@ static int packed_delta_info(unsigned char *base_sha1,
|
||||
* the result size.
|
||||
*/
|
||||
data = delta_head;
|
||||
get_delta_hdr_size(&data); /* ignore base size */
|
||||
|
||||
/* ignore base size */
|
||||
get_delta_hdr_size(&data, delta_head+sizeof(delta_head));
|
||||
|
||||
/* Read the result size */
|
||||
result_size = get_delta_hdr_size(&data);
|
||||
result_size = get_delta_hdr_size(&data, delta_head+sizeof(delta_head));
|
||||
*sizep = result_size;
|
||||
}
|
||||
return 0;
|
||||
|
Loading…
Reference in New Issue
Block a user