diff options
| author | Josh Steadmon <steadmon@google.com> | 2019-01-16 01:25:51 +0300 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2019-01-16 07:32:00 +0300 |
| commit | d2b86fbaa1f6c0606330caf3cc3fdf8984ddc66a (patch) | |
| tree | 7c05e504d723791d208b863e848a41a35e3f20fe /commit-graph.c | |
| parent | aa658574bfcbe03f5703458ac10be1ef3f5f5472 (diff) | |
commit-graph: fix buffer read-overflow
fuzz-commit-graph identified a case where Git will read past the end of
a buffer containing a commit graph if the graph's header has an
incorrect chunk count. A simple bounds check in parse_commit_graph()
prevents this.
Signed-off-by: Josh Steadmon <steadmon@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'commit-graph.c')
| -rw-r--r-- | commit-graph.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/commit-graph.c b/commit-graph.c index 15afad245a..359e782dee 100644 --- a/commit-graph.c +++ b/commit-graph.c @@ -165,10 +165,20 @@ struct commit_graph *parse_commit_graph(void *graph_map, int fd, last_chunk_offset = 8; chunk_lookup = data + 8; for (i = 0; i < graph->num_chunks; i++) { - uint32_t chunk_id = get_be32(chunk_lookup + 0); - uint64_t chunk_offset = get_be64(chunk_lookup + 4); + uint32_t chunk_id; + uint64_t chunk_offset; int chunk_repeated = 0; + if (data + graph_size - chunk_lookup < + GRAPH_CHUNKLOOKUP_WIDTH) { + error(_("chunk lookup table entry missing; graph file may be incomplete")); + free(graph); + return NULL; + } + + chunk_id = get_be32(chunk_lookup + 0); + chunk_offset = get_be64(chunk_lookup + 4); + chunk_lookup += GRAPH_CHUNKLOOKUP_WIDTH; if (chunk_offset > graph_size - GIT_MAX_RAWSZ) { |