From 12192a9db9beb3c45dd5064f34d1fcdc71f6a062 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Mon, 9 Oct 2023 17:05:56 -0400 Subject: commit-graph: detect out-of-order BIDX offsets The BIDX chunk tells us the offsets at which each commit's Bloom filters can be found in the BDAT chunk. We compute the length of each filter by checking the offsets of neighbors and subtracting them. If the offsets are out of order, then we'll get a negative length, which we then store as a very large unsigned value. This can cause us to read out-of-bounds memory, as we access the hash data modulo "filter->len * BITS_PER_WORD". We can easily detect this case when loading the individual filters. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- bloom.c | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'bloom.c') diff --git a/bloom.c b/bloom.c index 61abad7f8c..1474aa19fa 100644 --- a/bloom.c +++ b/bloom.c @@ -75,6 +75,16 @@ static int load_bloom_filter_from_graph(struct commit_graph *g, check_bloom_offset(g, lex_pos - 1, start_index) < 0) return 0; + if (end_index < start_index) { + warning("ignoring decreasing changed-path index offsets" + " (%"PRIuMAX" > %"PRIuMAX") for positions" + " %"PRIuMAX" and %"PRIuMAX" of %s", + (uintmax_t)start_index, (uintmax_t)end_index, + (uintmax_t)(lex_pos-1), (uintmax_t)lex_pos, + g->filename); + return 0; + } + filter->len = end_index - start_index; filter->data = (unsigned char *)(g->chunk_bloom_data + sizeof(unsigned char) * start_index + -- cgit v1.2.3