diff options
| author | Patrick Steinhardt <ps@pks.im> | 2022-12-01 17:47:23 +0300 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2022-12-09 08:26:21 +0300 |
| commit | 304a50adff6480ede46b68f7545baab542cbfb46 (patch) | |
| tree | 865578d1011a7c2a3ba0b844887a1e96f0f9aaa9 /t/t4205-log-pretty-formats.sh | |
| parent | f930a2394303b902e2973f4308f96529f736b8bc (diff) | |
pretty: restrict input lengths for padding and wrapping formats
Both the padding and wrapping formatting directives allow the caller to
specify an integer that ultimately leads to us adding this many chars to
the result buffer. As a consequence, it is trivial to e.g. allocate 2GB
of RAM via a single formatting directive and cause resource exhaustion
on the machine executing this logic. Furthermore, it is debatable
whether there are any sane usecases that require the user to pad data to
2GB boundaries or to indent wrapped data by 2GB.
Restrict the input sizes to 16 kilobytes at a maximum to limit the
amount of bytes that can be requested by the user. This is not meant
as a fix because there are ways to trivially amplify the amount of
data we generate via formatting directives; the real protection is
achieved by the changes in previous steps to catch and avoid integer
wraparound that causes us to under-allocate and access beyond the
end of allocated memory reagions. But having such a limit
significantly helps fuzzing the pretty format, because the fuzzer is
otherwise quite fast to run out-of-memory as it discovers these
formatters.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 't/t4205-log-pretty-formats.sh')
| -rwxr-xr-x | t/t4205-log-pretty-formats.sh | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh index 5c5b56596e..84c61dfc48 100755 --- a/t/t4205-log-pretty-formats.sh +++ b/t/t4205-log-pretty-formats.sh @@ -888,15 +888,21 @@ test_expect_success 'log --pretty with magical wrapping directives' ' ' test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing wrapping directive' ' - cat >expect <<-EOF && - fatal: number too large to represent as int on this platform: 2147483649 - EOF - test_must_fail git log -1 --pretty="format:%w(2147483649,1,1)%d" 2>error && - test_cmp expect error && - test_must_fail git log -1 --pretty="format:%w(1,2147483649,1)%d" 2>error && - test_cmp expect error && - test_must_fail git log -1 --pretty="format:%w(1,1,2147483649)%d" 2>error && - test_cmp expect error + printf "%%w(2147483649,1,1)0" >expect && + git log -1 --pretty="format:%w(2147483649,1,1)%x30" >actual && + test_cmp expect actual && + printf "%%w(1,2147483649,1)0" >expect && + git log -1 --pretty="format:%w(1,2147483649,1)%x30" >actual && + test_cmp expect actual && + printf "%%w(1,1,2147483649)0" >expect && + git log -1 --pretty="format:%w(1,1,2147483649)%x30" >actual && + test_cmp expect actual +' + +test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing padding directive' ' + printf "%%<(2147483649)0" >expect && + git log -1 --pretty="format:%<(2147483649)%x30" >actual && + test_cmp expect actual ' test_expect_success 'log --pretty with padding and preceding control chars' ' |