1 files changed, 31 insertions, 17 deletions

diff --git a/patch-delta.c b/patch-delta.c
index c0e1311435..56e0a5ede2 100644
--- a/patch-delta.c
+++ b/patch-delta.c
@@ -2,19 +2,18 @@
  * patch-delta.c:
  * recreate a buffer from a source and the delta produced by diff-delta.c
  *
- * (C) 2005 Nicolas Pitre <nico@cam.org>
+ * (C) 2005 Nicolas Pitre <nico@fluxnic.net>
  *
  * This code is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
  */
 
-#include <stdlib.h>
-#include <string.h>
+#include "git-compat-util.h"
 #include "delta.h"
 
-void *patch_delta(void *src_buf, unsigned long src_size,
-		  void *delta_buf, unsigned long delta_size,
+void *patch_delta(const void *src_buf, unsigned long src_size,
+		  const void *delta_buf, unsigned long delta_size,
 		  unsigned long *dst_size)
 {
 	const unsigned char *data, *top;
@@ -25,19 +24,16 @@ void *patch_delta(void *src_buf, unsigned long src_size,
 		return NULL;
 
 	data = delta_buf;
-	top = delta_buf + delta_size;
+	top = (const unsigned char *) delta_buf + delta_size;
 
 	/* make sure the orig file size matches what we expect */
-	size = get_delta_hdr_size(&data);
+	size = get_delta_hdr_size(&data, top);
 	if (size != src_size)
 		return NULL;
 
 	/* now the result size */
-	size = get_delta_hdr_size(&data);
-	dst_buf = malloc(size + 1);
-	if (!dst_buf)
-		return NULL;
-	dst_buf[size] = 0;
+	size = get_delta_hdr_size(&data, top);
+	dst_buf = xmallocz(size);
 
 	out = dst_buf;
 	while (data < top) {
@@ -47,26 +43,44 @@ void *patch_delta(void *src_buf, unsigned long src_size,
 			if (cmd & 0x01) cp_off = *data++;
 			if (cmd & 0x02) cp_off |= (*data++ << 8);
 			if (cmd & 0x04) cp_off |= (*data++ << 16);
-			if (cmd & 0x08) cp_off |= (*data++ << 24);
+			if (cmd & 0x08) cp_off |= ((unsigned) *data++ << 24);
 			if (cmd & 0x10) cp_size = *data++;
 			if (cmd & 0x20) cp_size |= (*data++ << 8);
 			if (cmd & 0x40) cp_size |= (*data++ << 16);
 			if (cp_size == 0) cp_size = 0x10000;
-			memcpy(out, src_buf + cp_off, cp_size);
+			if (unsigned_add_overflows(cp_off, cp_size) ||
+			    cp_off + cp_size > src_size ||
+			    cp_size > size)
+				break;
+			memcpy(out, (char *) src_buf + cp_off, cp_size);
 			out += cp_size;
-		} else {
+			size -= cp_size;
+		} else if (cmd) {
+			if (cmd > size)
+				break;
 			memcpy(out, data, cmd);
 			out += cmd;
 			data += cmd;
+			size -= cmd;
+		} else {
+			/*
+			 * cmd == 0 is reserved for future encoding
+			 * extensions. In the mean time we must fail when
+			 * encountering them (might be data corruption).
+			 */
+			error("unexpected delta opcode 0");
+			goto bad;
 		}
 	}
 
 	/* sanity check */
-	if (data != top || out - dst_buf != size) {
+	if (data != top || size != 0) {
+		error("delta replay has gone wild");
+		bad:
 		free(dst_buf);
 		return NULL;
 	}
 
-	*dst_size = size;
+	*dst_size = out - dst_buf;
 	return dst_buf;
 }