Commit 21652ee9de439e042cc2e69b208aa2ef8ce31147
2018-10-18T11:43:30
tree-cache: avoid out-of-bound reads when parsing trees We use the `git__strtol32` function to parse the child and entry count of treecaches from the index, which do not accept a buffer length. As the buffer that is being passed in is untrusted data and may thus be malformed and may not contain a terminating `NUL` byte, we can overrun the buffer and thus perform an out-of-bounds read. Fix the issue by uzing `git__strntol32` instead.
diff --git a/src/tree-cache.c b/src/tree-cache.c
index b331d22..c33e6af 100644
--- a/src/tree-cache.c
+++ b/src/tree-cache.c
@@ -91,7 +91,7 @@ static int read_tree_internal(git_tree_cache **out,
return -1;
/* Blank-terminated ASCII decimal number of entries in this tree */
- if (git__strtol32(&count, buffer, &buffer, 10) < 0)
+ if (git__strntol32(&count, buffer, buffer_end - buffer, &buffer, 10) < 0)
goto corrupted;
tree->entry_count = count;
@@ -100,7 +100,7 @@ static int read_tree_internal(git_tree_cache **out,
goto corrupted;
/* Number of children of the tree, newline-terminated */
- if (git__strtol32(&count, buffer, &buffer, 10) < 0 || count < 0)
+ if (git__strntol32(&count, buffer, buffer_end - buffer, &buffer, 10) < 0 || count < 0)
goto corrupted;
tree->children_count = count;