File libgit2-boo1100612-bounds-check.patch of Package libgit2.6870

Overview Repositories Revisions Requests Users Attributes Meta

File libgit2-boo1100612-bounds-check.patch of Package libgit2.6870

From 25d4a8c9c4a3059c7b473b43dbd5ad391fe2660a Mon Sep 17 00:00:00 2001
From: Patrick Steinhardt <ps@pks.im>
Date: Fri, 29 Jun 2018 09:11:02 +0200
Subject: [PATCH] delta: fix out-of-bounds read of delta

When computing the offset and length of the delta base, we repeatedly
increment the `delta` pointer without checking whether we have advanced
past its end already, which can thus result in an out-of-bounds read.
Fix this by repeatedly checking whether we have reached the end. Add a
test which would cause Valgrind to produce an error.

Reported-by: Riccardo Schirone <rschiron@redhat.com>
Test-provided-by: Riccardo Schirone <rschiron@redhat.com>

Backported by Mike Gorse <mgorse@suse.com>
---
diff -urp libgit2-0.24.1.orig/src/delta-apply.c libgit2-0.24.1/src/delta-apply.c
--- libgit2-0.24.1.orig/src/delta-apply.c	2018-08-01 11:50:42.219847072 -0500
+++ libgit2-0.24.1/src/delta-apply.c	2018-08-01 13:25:30.854057992 -0500
@@ -89,15 +89,17 @@ int git__delta_apply(
 			/* cmd is a copy instruction; copy from the base. */
 			size_t off = 0, len = 0;
 
-			if (cmd & 0x01) off = *delta++;
-			if (cmd & 0x02) off |= *delta++ << 8;
-			if (cmd & 0x04) off |= *delta++ << 16;
-			if (cmd & 0x08) off |= ((unsigned) *delta++ << 24UL);
+#define ADD_DELTA(o, shift) { if (delta < delta_end) (o) |= ((unsigned) *delta++ << shift); else goto fail; }
+			if (cmd & 0x01) ADD_DELTA(off, 0UL);
+			if (cmd & 0x02) ADD_DELTA(off, 8UL);
+			if (cmd & 0x04) ADD_DELTA(off, 16UL);
+			if (cmd & 0x08) ADD_DELTA(off, 24UL);
 
-			if (cmd & 0x10) len = *delta++;
-			if (cmd & 0x20) len |= *delta++ << 8;
-			if (cmd & 0x40) len |= *delta++ << 16;
+			if (cmd & 0x10) ADD_DELTA(len, 0UL);
+			if (cmd & 0x20) ADD_DELTA(len, 8UL);
+			if (cmd & 0x40) ADD_DELTA(len, 16UL);
 			if (!len)       len = 0x10000;
+#undef ADD_DELTA
 
 			if (base_len < off + len || res_sz < len)
 				goto fail;
diff --git a/tests/delta/apply.c b/tests/delta/apply.c
index 24513e040..5bb95a283 100644
--- a/tests/delta/apply.c
+++ b/tests/delta/apply.c
@@ -10,3 +10,12 @@ void test_delta_apply__read_at_off(void)
 
 	cl_git_fail(git__delta_apply(&out, &outlen, base, sizeof(base), delta, sizeof(delta)));
 }
+
+void test_delta_apply__read_after_limit(void)
+{
+	unsigned char base[16] = { 0 }, delta[] = { 0x10, 0x70, 0xff };
+	void *out;
+	size_t outlen;
+
+	cl_git_fail(git__delta_apply(&out, &outlen, base, sizeof(base), delta, sizeof(delta)));
+}
-- 
2.18.0

Places

File libgit2-boo1100612-bounds-check.patch of Package libgit2.6870

Places