I noticed that it's possible to get funny integer over/underflows with tree-walk's traverse_info (with specially-crafted absurdly-sized tree paths). I wasn't able to turn this into an actual buffer overflow because the funky sizes cause allocation failures way before we ever get into make_traverse_path(). But it makes sense to protect ourselves anyway. The first two patches are an unrelated memory problem I found (and they're here in the same series because I build on the cleanups). I don't think it's security-relevant, though; it involves reading from uninitialized heap memory, but we don't actually _do_ anything with the result. We just copy uninitialized bytes from one heap buffer to the other, and then never look at them again. [1/6]: setup_traverse_info(): stop copying oid [2/6]: tree-walk: drop oid from traverse_info [3/6]: tree-walk: use size_t consistently [4/6]: tree-walk: accept a raw length for traverse_path_len() [5/6]: tree-walk: add a strbuf wrapper for make_traverse_path() [6/6]: tree-walk: harden make_traverse_path() length computations Documentation/technical/api-tree-walking.txt | 8 ++- builtin/merge-tree.c | 5 +- cache-tree.c | 2 +- tree-walk.c | 64 +++++++++++------ tree-walk.h | 18 +++-- unpack-trees.c | 74 +++++++++++--------- 6 files changed, 103 insertions(+), 68 deletions(-) -Peff
