Our delta code was originally adapted from JGit, which itself adapted it
from git itself. Due to this heritage, we inherited a bug from git.git
in how we compute the delta offset, which was fixed upstream in
48fb7deb5 (Fix big left-shifts of unsigned char, 2009-06-17). As
explained by Linus:

    Shifting 'unsigned char' or 'unsigned short' left can result in sign
    extension errors, since the C integer promotion rules means that the
    unsigned char/short will get implicitly promoted to a signed 'int' due to
    the shift (or due to other operations).

    This normally doesn't matter, but if you shift things up sufficiently, it
    will now set the sign bit in 'int', and a subsequent cast to a bigger type
    (eg 'long' or 'unsigned long') will now sign-extend the value despite the
    original expression being unsigned.

    One example of this would be something like

            unsigned long size;
            unsigned char c;

            size += c << 24;

    where despite all the variables being unsigned, 'c << 24' ends up being a
    signed entity, and will get sign-extended when then doing the addition in
    an 'unsigned long' type.

    Since git uses 'unsigned char' pointers extensively, we actually have this
    bug in a couple of places.

In our delta code, we inherited such a bogus shift when computing the
offset at which the delta base is to be found. Due to the sign extension
we can end up with an offset where all the bits are set. This can allow
an arbitrary memory read, as the addition in `base_len < off + len` can
now overflow if `off` has all its bits set.

Fix the issue by casting the result of `*delta++ << 24UL` to an unsigned
integer again. Add a test with a crafted delta that would actually
succeed with an out-of-bounds read in case where the cast wouldn't
exist.

Reported-by: Riccardo Schirone <rschiron@redhat.com>
Test-provided-by: Riccardo Schirone <rschiron@redhat.com>

git expects an empty line after the binary data:

literal X
...binary data...
<empty_line>

The last literal block of the generated patches were not containing the required empty line. Example:

	diff --git a/binary_file b/binary_file
	index 3f1b3f9098131cfecea4a50ff8afab349ea66d22..86e5c1008b5ce635d3e3fffa4434c5eccd8f00b6 100644
	GIT binary patch
	literal 8
	Pc${NM&PdElPvrst3ey5{

	literal 6
	Nc${NM%g@i}0ssZ|0lokL
	diff --git a/binary_file2 b/binary_file2
	index 31be99be19470da4af5b28b21e27896a2f2f9ee2..86e5c1008b5ce635d3e3fffa4434c5eccd8f00b6 100644
	GIT binary patch
	literal 8
	Pc${NM&PdElPvrst3ey5{

	literal 13
	Sc${NMEKbZyOexL+Qd|HZV+4u-

git apply of that diff results in:

	error: corrupt binary patch at line 9: diff --git a/binary_file2 b/binary_file2
	fatal: patch with only garbage at line 10

The proper formating is:

	diff --git a/binary_file b/binary_file
	index 3f1b3f9098131cfecea4a50ff8afab349ea66d22..86e5c1008b5ce635d3e3fffa4434c5eccd8f00b6 100644
	GIT binary patch
	literal 8
	Pc${NM&PdElPvrst3ey5{

	literal 6
	Nc${NM%g@i}0ssZ|0lokL
	diff --git a/binary_file2 b/binary_file2
	index 31be99be19470da4af5b28b21e27896a2f2f9ee2..86e5c1008b5ce635d3e3fffa4434c5eccd8f00b6 100644
	GIT binary patch
	literal 8
	Pc${NM&PdElPvrst3ey5{

	literal 13
	Sc${NMEKbZyOexL+Qd|HZV+4u-

Plug a bunch of leaks

Ensure that even when we're forcing a binary diff that we do not
assume that there *is* a diff.  There should be an empty diff for
no change.

We test the generation of the textual patch via the patch function,
which are just one of two possibilities to get the output.

Add a second patch generation via the diff function to make sure both
outputs are in sync.