diff options
author | Patrick Steinhardt <ps@pks.im> | 2018-10-18 11:43:30 +0200 |
---|---|---|
committer | Patrick Steinhardt <ps@pks.im> | 2018-10-26 14:20:35 +0200 |
commit | 61165dd4003938ce5b2e684799760cc7c0c82e9e (patch) | |
tree | 1b6f9f4357448848096ba5c0814e096676fcfb5f | |
parent | 6b2b63e50115a3e5db46d3744f24f9422dd2bb6b (diff) | |
download | libgit2-61165dd4003938ce5b2e684799760cc7c0c82e9e.tar.gz |
tree-cache: avoid out-of-bound reads when parsing trees
We use the `git__strtol32` function to parse the child and entry count
of treecaches from the index, which do not accept a buffer length. As
the buffer that is being passed in is untrusted data and may thus be
malformed and may not contain a terminating `NUL` byte, we can overrun
the buffer and thus perform an out-of-bounds read.
Fix the issue by uzing `git__strntol32` instead.
(cherry picked from commit 21652ee9de439e042cc2e69b208aa2ef8ce31147)
-rw-r--r-- | src/tree-cache.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/tree-cache.c b/src/tree-cache.c index b331d22a2..c33e6af9e 100644 --- a/src/tree-cache.c +++ b/src/tree-cache.c @@ -91,7 +91,7 @@ static int read_tree_internal(git_tree_cache **out, return -1; /* Blank-terminated ASCII decimal number of entries in this tree */ - if (git__strtol32(&count, buffer, &buffer, 10) < 0) + if (git__strntol32(&count, buffer, buffer_end - buffer, &buffer, 10) < 0) goto corrupted; tree->entry_count = count; @@ -100,7 +100,7 @@ static int read_tree_internal(git_tree_cache **out, goto corrupted; /* Number of children of the tree, newline-terminated */ - if (git__strtol32(&count, buffer, &buffer, 10) < 0 || count < 0) + if (git__strntol32(&count, buffer, buffer_end - buffer, &buffer, 10) < 0 || count < 0) goto corrupted; tree->children_count = count; |