[PATCH] archive: fix segfault from too long --format parameter

Jonathan Nieder <jrnieder@xxxxxxxxx> · Sun, 7 Feb 2010 01:10:46 -0600

‘git archive --format=<string of 25 characters or more>’ overflows a
local buffer, producing a segfault here.

The context: in commit 0f4b377 (git-archive: infer output format from
filename when unspecified, 2009-09-14), the cmd_archive wrapper
learned to produce a format argument for the local or remote archive
machinery in a local buffer, but that code was missing a bounds check.

So add the missing check.  As a belt-and-suspenders measure, also use
snprintf to make sure the copy afterwards does not overflow.

Cc: Rene Scharfe <rene.scharfe@xxxxxxxxxxxxxx>
Cc: Dmitry Potapov <dpotapov@xxxxxxxxx>
Signed-off-by: Jonathan Nieder <jrnieder@xxxxxxxxx>
---
I noticed this while reading over the archive code.  Thoughts?

 builtin-archive.c   |    4 +++-
 t/t5000-tar-tree.sh |    6 ++++++
 2 files changed, 9 insertions(+), 1 deletions(-)

diff --git a/builtin-archive.c b/builtin-archive.c
index 3fb4136..94db00d 100644
--- a/builtin-archive.c
+++ b/builtin-archive.c
@@ -107,7 +107,9 @@ int cmd_archive(int argc, const char **argv, const char *prefix)
 	}
 
 	if (format) {
-		sprintf(fmt_opt, "--format=%s", format);
+		if (strlen(format) > sizeof(fmt_opt) - sizeof("--format="))
+			die("git archive: format is too long: %.50s", format);
+		snprintf(fmt_opt, sizeof(fmt_opt), "--format=%s", format);
 		/*
 		 * We have enough room in argv[] to muck it in place,
 		 * because either --format and/or --output must have
diff --git a/t/t5000-tar-tree.sh b/t/t5000-tar-tree.sh
index 0037f63..cf114b2 100755
--- a/t/t5000-tar-tree.sh
+++ b/t/t5000-tar-tree.sh
@@ -174,6 +174,12 @@ test_expect_success \
 '
 
 test_expect_success \
+    'git archive --format=<long nonsense string>' \
+    'format=abacadabra &&
+    format="${format}${format}${format}zip" &&
+    test_must_fail git archive "--format=$format" HEAD'
+
+test_expect_success \
     'git archive --format=zip' \
     'git archive --format=zip HEAD >d.zip'
 
-- 
1.7.0.rc1

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




