diff options
| author | Jeff King <peff@peff.net> | 2023-12-13 01:12:43 +0300 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2023-12-13 02:32:49 +0300 |
| commit | d1bd3a8c3424e818f4117a39fe418909e24cea5f (patch) | |
| tree | e1729700af6af6f1dbf190a0122eaede5ded3004 /mailinfo.c | |
| parent | 0d1bd1dfb37ef25e1911777c94129fc769ffec38 (diff) | |
mailinfo: fix out-of-bounds memory reads in unquote_quoted_pair()
When processing a header like a "From" line, mailinfo uses
unquote_quoted_pair() to handle double-quotes and rfc822 parenthesized
comments. It takes a NUL-terminated string on input, and loops over the
"in" pointer until it sees the NUL. When it finds the start of an
interesting block, it delegates to helper functions which also increment
"in", and return the updated pointer.
But there's a bug here: the helpers find the NUL with a post-increment
in the loop condition, like:
while ((c = *in++) != 0)
So when they do see a NUL (rather than the correct termination of the
quote or comment section), they return "in" as one _past_ the NUL
terminator. And thus the outer loop in unquote_quoted_pair() does not
realize we hit the NUL, and keeps reading past the end of the buffer.
We should instead make sure to return "in" positioned at the NUL, so
that the caller knows to stop their loop, too. A hacky way to do this is
to return "in - 1" after leaving the inner loop. But a slightly cleaner
solution is to avoid incrementing "in" until we are sure it contained a
non-NUL byte (i.e., doing it inside the loop body).
The two tests here show off the problem. Since we check the output,
they'll _usually_ report a failure in a normal build, but it depends on
what garbage bytes are found after the heap buffer. Building with
SANITIZE=address reliably notices the problem. The outcome (both the
exit code and the exact bytes) are just what Git happens to produce for
these cases today, and shouldn't be taken as an endorsement. It might be
reasonable to abort on an unterminated string, for example. The priority
for this patch is fixing the out-of-bounds memory access.
Reported-by: Carlos Andrés Ramírez Cataño <antaigroupltda@gmail.com>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'mailinfo.c')
| -rw-r--r-- | mailinfo.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/mailinfo.c b/mailinfo.c index 833d28612f..542d4458f6 100644 --- a/mailinfo.c +++ b/mailinfo.c @@ -56,12 +56,12 @@ static void parse_bogus_from(struct mailinfo *mi, const struct strbuf *line) static const char *unquote_comment(struct strbuf *outbuf, const char *in) { - int c; int take_next_literally = 0; strbuf_addch(outbuf, '('); - while ((c = *in++) != 0) { + while (*in) { + int c = *in++; if (take_next_literally == 1) { take_next_literally = 0; } else { @@ -86,10 +86,10 @@ static const char *unquote_comment(struct strbuf *outbuf, const char *in) static const char *unquote_quoted_string(struct strbuf *outbuf, const char *in) { - int c; int take_next_literally = 0; - while ((c = *in++) != 0) { + while (*in) { + int c = *in++; if (take_next_literally == 1) { take_next_literally = 0; } else { |