delta: fix out-of-bounds read of delta

When computing the offset and length of the delta base, we repeatedly increment the `delta` pointer without checking whether we have advanced past its end already, which can thus result in an out-of-bounds read. Fix this by repeatedly checking whether we have reached the end. Add a test which would cause Valgrind to produce an error. Reported-by: Riccardo Schirone <rschiron@redhat.com> Test-provided-by: Riccardo Schirone <rschiron@redhat.com>
author: Patrick Steinhardt <ps@pks.im> 2018-06-29 09:11:02 +0200
committer: Patrick Steinhardt <ps@pks.im> 2018-06-29 09:30:02 +0200
commit: 24597812220325f1cb38f61e56b095ff38d1b1cb (patch)
tree: f1cbcd896bc749ad87c36089b840eb6d85eaacd6 /tests
parent: 7db258706ab4e09046255cdcbf27c5af8d29a551 (diff)
download: libgit2-24597812220325f1cb38f61e56b095ff38d1b1cb.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/tests/delta/apply.c b/tests/delta/apply.c
index 24513e040..5bb95a283 100644
--- a/tests/delta/apply.c
+++ b/tests/delta/apply.c
@@ -10,3 +10,12 @@ void test_delta_apply__read_at_off(void)
 
 	cl_git_fail(git_delta_apply(&out, &outlen, base, sizeof(base), delta, sizeof(delta)));
 }
+
+void test_delta_apply__read_after_limit(void)
+{
+	unsigned char base[16] = { 0 }, delta[] = { 0x10, 0x70, 0xff };
+	void *out;
+	size_t outlen;
+
+	cl_git_fail(git_delta_apply(&out, &outlen, base, sizeof(base), delta, sizeof(delta)));
+}
author	Patrick Steinhardt <ps@pks.im>	2018-06-29 09:11:02 +0200
committer	Patrick Steinhardt <ps@pks.im>	2018-06-29 09:30:02 +0200
commit	24597812220325f1cb38f61e56b095ff38d1b1cb (patch)
tree	f1cbcd896bc749ad87c36089b840eb6d85eaacd6 /tests
parent	7db258706ab4e09046255cdcbf27c5af8d29a551 (diff)
download	libgit2-24597812220325f1cb38f61e56b095ff38d1b1cb.tar.gz