On Fri, May 25, 2018 at 7:17 PM, Jeremy Linton <lintonrjeremy@xxxxxxxxx> wrote: > The buffer being passed to zlib includes a null terminator that > git needs to keep in place. unpack_compressed_entry() attempts to > detect the case that the source buffer hasn't been fully consumed > by checking to see if the destination buffer has been over consumed. > > This yields two problems, first a single byte overrun won't be detected > properly because the Z_STREAM_END will then be set, but the null > terminator will have been overwritten. The other problem is that > more recent zlib patches have been poisoning the unconsumed portions > of the buffers which also overwrites the null, while correctly > returning length and status. > > Lets rely on the fact that the source buffer will only be fully s/Lets/Let's/ > consumed when the when the destination buffer is inflated to the s/when the when the/when the/ > correct size. We can do this by passing zlib the correct buffer size > and properly checking the return status. The latter check actually > already exists if the buffer size is correct. > > Signed-off-by: Jeremy Linton <lintonrjeremy@xxxxxxxxx>
