diff options
| author | Patrick Steinhardt <ps@pks.im> | 2018-10-29 19:25:09 +0300 |
|---|---|---|
| committer | Edward Thomson <ethomson@edwardthomson.com> | 2019-01-25 20:43:17 +0300 |
| commit | d64b0a69e10fcb028229fba91f777fc4a5d83e94 (patch) | |
| tree | b266b49e8d2c66f31e4b7ca47dbd8e37f3e5d7e0 | |
| parent | af9692ba08daf1b384377966af063f5aa4748c72 (diff) | |
tree: fix mode parsing reading out-of-bounds
When parsing a tree entry's mode, we will eagerly parse until we hit a
character that is not in the accepted set of octal digits '0' - '7'. If
the provided buffer is not a NUL terminated one, we may thus read
out-of-bounds.
Fix the issue by passing the buffer length to `parse_mode` and paying
attention to it. Note that this is not a vulnerability in our usual code
paths, as all object data read from the ODB is NUL terminated.
| -rw-r--r-- | src/tree.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/src/tree.c b/src/tree.c index a014ce807..d9faaa7f6 100644 --- a/src/tree.c +++ b/src/tree.c @@ -399,15 +399,16 @@ static int tree_error(const char *str, const char *path) return -1; } -static int parse_mode(unsigned int *modep, const char *buffer, const char **buffer_out) +static int parse_mode(unsigned int *modep, const char *buffer, size_t buffer_len, const char **buffer_out) { + const char *buffer_end = buffer + buffer_len; unsigned char c; unsigned int mode = 0; if (*buffer == ' ') return -1; - while ((c = *buffer++) != ' ') { + while (buffer < buffer_end && (c = *buffer++) != ' ') { if (c < '0' || c > '7') return -1; mode = (mode << 3) + (c - '0'); @@ -439,7 +440,7 @@ int git_tree__parse(void *_tree, git_odb_object *odb_obj) const char *nul; unsigned int attr; - if (parse_mode(&attr, buffer, &buffer) < 0 || !buffer) + if (parse_mode(&attr, buffer, buffer_end - buffer, &buffer) < 0 || !buffer) return tree_error("failed to parse tree: can't parse filemode", NULL); if ((nul = memchr(buffer, 0, buffer_end - buffer)) == NULL) |