The current code can access memory outside of the tree
buffer in the case of malformed tree entries.
This patch prevent this by:
* The rest of the buffer must be at least 24 bytes
(at least 1 byte mode, 1 blank, at least one byte path name,
1 zero, 20 bytes sha1).
* Check that the last zero (21 bytes before the end) is present.
This ensurse, that strlen and get_mode stay within the buffer.
* The mode may not be empty. We have only to reject a blank at the begin,
as the rest is handled by if (c < '0' || c > '7').
* The blank is ensured by get_mode.
* The start of the path may not be after the last zero (21 bytes before the end).
Signed-off-by: Martin Koegler <mkoegler@xxxxxxxxxxxxxxxxx>
---
tree-walk.c | 11 +++++++++--
1 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/tree-walk.c b/tree-walk.c
index 8d4b673..bd88ec7 100644
--- a/tree-walk.c
+++ b/tree-walk.c
@@ -7,6 +7,9 @@ static const char *get_mode(const char *str, unsigned int *modep)
unsigned char c;
unsigned int mode = 0;
+ if (*str == ' ')
+ return NULL;
+
while ((c = *str++) != ' ') {
if (c < '0' || c > '7')
return NULL;
@@ -16,13 +19,17 @@ static const char *get_mode(const char *str, unsigned int *modep)
return str;
}
-static void decode_tree_entry(struct tree_desc *desc, const void *buf, unsigned long size)
+static void decode_tree_entry(struct tree_desc *desc, const char *buf, unsigned long size)
{
const char *path;
unsigned int mode, len;
+ const char *end = buf + size - 21;
+
+ if (size < 24 || *end)
+ die("corrupt tree file");
path = get_mode(buf, &mode);
- if (!path)
+ if (!path || path > end)
die("corrupt tree file");
len = strlen(path) + 1;
--
1.4.4.4
-
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
