diff options
| author | Patrick Steinhardt <ps@pks.im> | 2018-10-18 12:29:06 +0300 |
|---|---|---|
| committer | Patrick Steinhardt <ps@pks.im> | 2018-10-26 15:35:16 +0300 |
| commit | da0e03ce0298dd0fc409ac4abf06fbad0d20e60a (patch) | |
| tree | 8548cc634d343d3698d91fc255eb7dbced9124b0 | |
| parent | 2b32806bc4734cb4e1f450276e98ff362b5224d3 (diff) | |
index: avoid out-of-bounds read when reading reuc entry stage
We use `git__strtol64` to parse file modes of the index entries, which
does not limit the parsed buffer length. As the index can be essentially
treated as "untrusted" in that the data stems from the file system, it
may be misformatted and may not contain terminating `NUL` bytes. This
may lead to out-of-bounds reads when trying to parse index entries with
such malformatted modes.
Fix the issue by using `git__strntol64` instead.
(cherry picked from commit 600ceadd1426b874ae0618651210a690a68b27e9)
| -rw-r--r-- | src/index.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/index.c b/src/index.c index c5f6550d6..d7952ac6e 100644 --- a/src/index.c +++ b/src/index.c @@ -2202,7 +2202,7 @@ static int read_reuc(git_index *index, const char *buffer, size_t size) for (i = 0; i < 3; i++) { int64_t tmp; - if (git__strtol64(&tmp, buffer, &endptr, 8) < 0 || + if (git__strntol64(&tmp, buffer, size, &endptr, 8) < 0 || !endptr || endptr == buffer || *endptr || tmp < 0 || tmp > UINT32_MAX) { index_entry_reuc_free(lost); |