diff options
| author | Patrick Steinhardt <ps@pks.im> | 2018-10-18 11:29:06 +0200 |
|---|---|---|
| committer | Patrick Steinhardt <ps@pks.im> | 2018-10-18 11:29:06 +0200 |
| commit | 600ceadd1426b874ae0618651210a690a68b27e9 (patch) | |
| tree | 3d5ed482cefdcf3ba08b1ae702f02c3715d04ba1 | |
| parent | 1a3fa1f5fafd433bdcf1834426d6963eff532125 (diff) | |
| download | libgit2-600ceadd1426b874ae0618651210a690a68b27e9.tar.gz | |
index: avoid out-of-bounds read when reading reuc entry stage
We use `git__strtol64` to parse file modes of the index entries, which
does not limit the parsed buffer length. As the index can be essentially
treated as "untrusted" in that the data stems from the file system, it
may be misformatted and may not contain terminating `NUL` bytes. This
may lead to out-of-bounds reads when trying to parse index entries with
such malformatted modes.
Fix the issue by using `git__strntol64` instead.
| -rw-r--r-- | src/index.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/index.c b/src/index.c index 465efaa4e..8858d23a1 100644 --- a/src/index.c +++ b/src/index.c @@ -2243,7 +2243,7 @@ static int read_reuc(git_index *index, const char *buffer, size_t size) for (i = 0; i < 3; i++) { int64_t tmp; - if (git__strtol64(&tmp, buffer, &endptr, 8) < 0 || + if (git__strntol64(&tmp, buffer, size, &endptr, 8) < 0 || !endptr || endptr == buffer || *endptr || tmp < 0 || tmp > UINT32_MAX) { index_entry_reuc_free(lost); |