Skip to content

Commit ce18135

Browse files
author
Junio C Hamano
committed
Merge branch 'maint'
* maint: count-delta: match get_delta_hdr_size() changes. check patch_delta bounds more carefully
2 parents 9760662 + 98cf815 commit ce18135

File tree

3 files changed

+28
-9
lines changed

3 files changed

+28
-9
lines changed

delta.h

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,8 @@ extern void *patch_delta(void *src_buf, unsigned long src_size,
1616
* This must be called twice on the delta data buffer, first to get the
1717
* expected reference buffer size, and again to get the result buffer size.
1818
*/
19-
static inline unsigned long get_delta_hdr_size(const unsigned char **datap)
19+
static inline unsigned long get_delta_hdr_size(const unsigned char **datap,
20+
const unsigned char *top)
2021
{
2122
const unsigned char *data = *datap;
2223
unsigned char cmd;
@@ -26,7 +27,7 @@ static inline unsigned long get_delta_hdr_size(const unsigned char **datap)
2627
cmd = *data++;
2728
size |= (cmd & ~0x80) << i;
2829
i += 7;
29-
} while (cmd & 0x80);
30+
} while (cmd & 0x80 && data < top);
3031
*datap = data;
3132
return size;
3233
}

patch-delta.c

Lines changed: 21 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -28,12 +28,12 @@ void *patch_delta(void *src_buf, unsigned long src_size,
2828
top = delta_buf + delta_size;
2929

3030
/* make sure the orig file size matches what we expect */
31-
size = get_delta_hdr_size(&data);
31+
size = get_delta_hdr_size(&data, top);
3232
if (size != src_size)
3333
return NULL;
3434

3535
/* now the result size */
36-
size = get_delta_hdr_size(&data);
36+
size = get_delta_hdr_size(&data, top);
3737
dst_buf = malloc(size + 1);
3838
if (!dst_buf)
3939
return NULL;
@@ -52,21 +52,37 @@ void *patch_delta(void *src_buf, unsigned long src_size,
5252
if (cmd & 0x20) cp_size |= (*data++ << 8);
5353
if (cmd & 0x40) cp_size |= (*data++ << 16);
5454
if (cp_size == 0) cp_size = 0x10000;
55+
if (cp_off + cp_size < cp_size ||
56+
cp_off + cp_size > src_size ||
57+
cp_size > size)
58+
goto bad;
5559
memcpy(out, src_buf + cp_off, cp_size);
5660
out += cp_size;
57-
} else {
61+
size -= cp_size;
62+
} else if (cmd) {
63+
if (cmd > size)
64+
goto bad;
5865
memcpy(out, data, cmd);
5966
out += cmd;
6067
data += cmd;
68+
size -= cmd;
69+
} else {
70+
/*
71+
* cmd == 0 is reserved for future encoding
72+
* extensions. In the mean time we must fail when
73+
* encountering them (might be data corruption).
74+
*/
75+
goto bad;
6176
}
6277
}
6378

6479
/* sanity check */
65-
if (data != top || out - dst_buf != size) {
80+
if (data != top || size != 0) {
81+
bad:
6682
free(dst_buf);
6783
return NULL;
6884
}
6985

70-
*dst_size = size;
86+
*dst_size = out - dst_buf;
7187
return dst_buf;
7288
}

sha1_file.c

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -808,10 +808,12 @@ static int packed_delta_info(unsigned char *base_sha1,
808808
* the result size.
809809
*/
810810
data = delta_head;
811-
get_delta_hdr_size(&data); /* ignore base size */
811+
812+
/* ignore base size */
813+
get_delta_hdr_size(&data, delta_head+sizeof(delta_head));
812814

813815
/* Read the result size */
814-
result_size = get_delta_hdr_size(&data);
816+
result_size = get_delta_hdr_size(&data, delta_head+sizeof(delta_head));
815817
*sizep = result_size;
816818
}
817819
return 0;

0 commit comments

Comments
 (0)