kernel
/
git
mirror of https://git.kernel.org/pub/scm/git/git.git
1
0
Fork 0
Code Releases Activity
Browse Source

vcs-svn: guard against overflow when computing preimage length 

Signed integer overflow produces undefined behavior in C and off_t is
a signed type.  For predictable behavior, add some checks to protect
in advance against overflow.

On 32-bit systems ftell as called by buffer_tmpfile_prepare_to_read
is likely to fail with EOVERFLOW when reading the corresponding
postimage, and this patch does not fix that.  So it's more of a
futureproofing measure than a complete fix.

Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
maint
Jonathan Nieder 14 years ago
parent
157415a9a9
commit
abe27c0cbd
1 changed files with 14 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 15
      vcs-svn/fast_export.c

15
vcs-svn/fast_export.c
Unescape View File

@ -166,6 +166,7 @@ static int ends_with(const char *s, size_t len, const char *suffix) @@ -166,6 +166,7 @@ static int ends_with(const char *s, size_t len, const char *suffix)
static int parse_cat_response_line(const char *header, off_t *len)
{
size_t headerlen = strlen(header);
uintmax_t n;
const char *type;
const char *end;

@ -174,14 +175,25 @@ static int parse_cat_response_line(const char *header, off_t *len) @@ -174,14 +175,25 @@ static int parse_cat_response_line(const char *header, off_t *len)
type = memmem(header, headerlen, " blob ", strlen(" blob "));
if (!type)
return error("cat-blob header has wrong object type: %s", header);
*len = strtoumax(type + strlen(" blob "), (char **) &end, 10);
n = strtoumax(type + strlen(" blob "), (char **) &end, 10);
if (end == type + strlen(" blob "))
return error("cat-blob header does not contain length: %s", header);
if (memchr(type + strlen(" blob "), '-', end - type - strlen(" blob ")))
return error("cat-blob header contains negative length: %s", header);
if (n == UINTMAX_MAX || n > maximum_signed_value_of_type(off_t))
return error("blob too large for current definition of off_t");
*len = n;
if (*end)
return error("cat-blob header contains garbage after length: %s", header);
return 0;
}

static void check_preimage_overflow(off_t a, off_t b)
{
if (signed_add_overflows(a, b))
die("blob too large for current definition of off_t");
}

static long apply_delta(off_t len, struct line_buffer *input,
const char *old_data, uint32_t old_mode)
{
@ -204,6 +216,7 @@ static long apply_delta(off_t len, struct line_buffer *input, @@ -204,6 +216,7 @@ static long apply_delta(off_t len, struct line_buffer *input,
}
if (old_mode == REPO_MODE_LNK) {
strbuf_addstr(&preimage.buf, "link ");
check_preimage_overflow(preimage_len, strlen("link "));
preimage_len += strlen("link ");
}
if (svndiff0_apply(input, len, &preimage, out))

Write Preview
Loading…
Cancel
Save