Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:Update
libgit2.6870
libgit2-boo1100612-bounds-check.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File libgit2-boo1100612-bounds-check.patch of Package libgit2.6870
From 25d4a8c9c4a3059c7b473b43dbd5ad391fe2660a Mon Sep 17 00:00:00 2001 From: Patrick Steinhardt <ps@pks.im> Date: Fri, 29 Jun 2018 09:11:02 +0200 Subject: [PATCH] delta: fix out-of-bounds read of delta When computing the offset and length of the delta base, we repeatedly increment the `delta` pointer without checking whether we have advanced past its end already, which can thus result in an out-of-bounds read. Fix this by repeatedly checking whether we have reached the end. Add a test which would cause Valgrind to produce an error. Reported-by: Riccardo Schirone <rschiron@redhat.com> Test-provided-by: Riccardo Schirone <rschiron@redhat.com> Backported by Mike Gorse <mgorse@suse.com> --- diff -urp libgit2-0.24.1.orig/src/delta-apply.c libgit2-0.24.1/src/delta-apply.c --- libgit2-0.24.1.orig/src/delta-apply.c 2018-08-01 11:50:42.219847072 -0500 +++ libgit2-0.24.1/src/delta-apply.c 2018-08-01 13:25:30.854057992 -0500 @@ -89,15 +89,17 @@ int git__delta_apply( /* cmd is a copy instruction; copy from the base. */ size_t off = 0, len = 0; - if (cmd & 0x01) off = *delta++; - if (cmd & 0x02) off |= *delta++ << 8; - if (cmd & 0x04) off |= *delta++ << 16; - if (cmd & 0x08) off |= ((unsigned) *delta++ << 24UL); +#define ADD_DELTA(o, shift) { if (delta < delta_end) (o) |= ((unsigned) *delta++ << shift); else goto fail; } + if (cmd & 0x01) ADD_DELTA(off, 0UL); + if (cmd & 0x02) ADD_DELTA(off, 8UL); + if (cmd & 0x04) ADD_DELTA(off, 16UL); + if (cmd & 0x08) ADD_DELTA(off, 24UL); - if (cmd & 0x10) len = *delta++; - if (cmd & 0x20) len |= *delta++ << 8; - if (cmd & 0x40) len |= *delta++ << 16; + if (cmd & 0x10) ADD_DELTA(len, 0UL); + if (cmd & 0x20) ADD_DELTA(len, 8UL); + if (cmd & 0x40) ADD_DELTA(len, 16UL); if (!len) len = 0x10000; +#undef ADD_DELTA if (base_len < off + len || res_sz < len) goto fail; diff --git a/tests/delta/apply.c b/tests/delta/apply.c index 24513e040..5bb95a283 100644 --- a/tests/delta/apply.c +++ b/tests/delta/apply.c @@ -10,3 +10,12 @@ void test_delta_apply__read_at_off(void) cl_git_fail(git__delta_apply(&out, &outlen, base, sizeof(base), delta, sizeof(delta))); } + +void test_delta_apply__read_after_limit(void) +{ + unsigned char base[16] = { 0 }, delta[] = { 0x10, 0x70, 0xff }; + void *out; + size_t outlen; + + cl_git_fail(git__delta_apply(&out, &outlen, base, sizeof(base), delta, sizeof(delta))); +} -- 2.18.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor