diff options
| author | lhchavez <lhchavez@lhchavez.com> | 2017-12-08 06:00:27 +0000 |
|---|---|---|
| committer | lhchavez <lhchavez@lhchavez.com> | 2017-12-08 06:00:27 +0000 |
| commit | 28662c13a8a36c1145ff3a1796d68422474e31c1 (patch) | |
| tree | 1491b936d0a5d636ea134df1c90e160e0b6ac1a4 | |
| parent | 429bb3575474a3d25ee1c9814612d8d01b3378e8 (diff) | |
| download | libgit2-28662c13a8a36c1145ff3a1796d68422474e31c1.tar.gz | |
libFuzzer: Prevent a potential shift overflow
The type of |base_offset| in get_delta_base() is `git_off_t`, which is a
signed `long`. That means that we need to make sure that the 8 most
significant bits are zero (instead of 7) to avoid an overflow when it is
shifted by 7 bits.
Found using libFuzzer.
| -rw-r--r-- | src/pack.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/pack.c b/src/pack.c index 7fd95c905..1b88835ec 100644 --- a/src/pack.c +++ b/src/pack.c @@ -939,7 +939,7 @@ git_off_t get_delta_base( if (left <= used) return GIT_EBUFS; base_offset += 1; - if (!base_offset || MSB(base_offset, 7)) + if (!base_offset || MSB(base_offset, 8)) return 0; /* overflow */ c = base_info[used++]; base_offset = (base_offset << 7) + (c & 127); |