On Fri, Oct 28, 2022 at 03:29:33PM -0700, Martin Englund wrote:
> What did you do before the bug happened? (Steps to reproduce your issue)
> I created a signed tag (git tag -s) using a ssh-agent key and then ran
> git tag -l --format '%(contents:body)' v0.6.1
>
> What did you expect to happen? (Expected behavior)
> I get the output
>
> What happened instead? (Actual behavior)
> fatal: Out of memory, malloc failed (tried to allocate
> 18446744073709551266 bytes)
Thanks for the report. This looks like pointer or size_t arithmetic that
has gone negative. Here's a minimal reproduction:
{
echo subject
echo "-----BEGIN PGP SIGNATURE-----"
} | git tag -F - foo
git tag -l --format='%(contents:body)' foo
The issue isn't unique to pgp signatures; the problem is in the parsing
done by ref-filter's find_subpos(), so any signature type exhibits the
problem. At the end of that function we do:
*nonsiglen = sigstart - buf;
but "buf" has moved beyond "sigstart". Presumably because it uses
strstr() to look for end-of-line in buf. Since there isn't one before
the signature begins, we go to the end of the signature.
The bug bisects to 9f75ce3d8f (ref-filter: handle CRLF at end-of-line
more gracefully, 2020-10-29). Before then, I think our loop was careful
about moving past the start of the signature. Author cc'd.
-Peff
