Overview

File libgit2-read-entry-return-code.patch of Package libgit2.6870

References: 58a6fe94cb851f71214dbefac3f9bffee437d6fe
From: Karol Babioch <kbabioch@suse.de>
Date: Wed Mar 14 11:15:46 CET 2018
Upstream: merged

Fix for CVE-2018-8099 (bsc#1085256).

---
 src/index.c |   22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

Index: libgit2-0.24.1/src/index.c
===================================================================
--- libgit2-0.24.1.orig/src/index.c
+++ libgit2-0.24.1/src/index.c
@@ -2257,8 +2257,9 @@ out_err:
 	return 0;
 }
 
-static size_t read_entry(
+static int read_entry(
 	git_index_entry **out,
+	size_t *out_size,
 	git_index *index,
 	const void *buffer,
 	size_t buffer_size)
@@ -2269,7 +2270,7 @@ static size_t read_entry(
 	git_index_entry entry = {{0}};
 
 	if (INDEX_FOOTER_SIZE + minimal_entry_size > buffer_size)
-		return 0;
+		return -1;
 
 	/* buffer is not guaranteed to be aligned */
 	memcpy(&source, buffer, sizeof(struct entry_short));
@@ -2310,7 +2311,7 @@ static size_t read_entry(
 
 		path_end = memchr(path_ptr, '\0', buffer_size);
 		if (path_end == NULL)
-			return 0;
+			return -1;
 
 		path_length = path_end - path_ptr;
 	}
@@ -2320,15 +2321,19 @@ static size_t read_entry(
 	else
 		entry_size = short_entry_size(path_length);
 
+	if (entry_size == 0)
+		return -1;
+
 	if (INDEX_FOOTER_SIZE + entry_size > buffer_size)
-		return 0;
+		return -1;
 
 	entry.path = (char *)path_ptr;
 
 	if (index_entry_dup(out, index, &entry) < 0)
-		return 0;
+		return -1;
 
-	return entry_size;
+	*out_size = entry_size;
+	return 0;
 }
 
 static int read_header(struct index_header *dest, const void *buffer)
@@ -2426,10 +2431,9 @@ static int parse_index(git_index *index,
 	/* Parse all the entries */
 	for (i = 0; i < header.entry_count && buffer_size > INDEX_FOOTER_SIZE; ++i) {
 		git_index_entry *entry;
-		size_t entry_size = read_entry(&entry, index, buffer, buffer_size);
+		size_t entry_size;
 
-		/* 0 bytes read means an object corruption */
-		if (entry_size == 0) {
+		if ((error = read_entry(&entry, &entry_size, index, buffer, buffer_size)) < 0) {
 			error = index_error_invalid("invalid entry");
 			goto done;
 		}
openSUSE Build Service is sponsored by
Places