Commit 30d9176013cbaaced4b94f11717d259909bb8f81
2017-12-23T10:52:08
Merge pull request #4435 from lhchavez/ubsan-shift-overflow libFuzzer: Prevent a potential shift overflow
diff --git a/src/pack.c b/src/pack.c
index 7fd95c9..b87d22d 100644
--- a/src/pack.c
+++ b/src/pack.c
@@ -934,19 +934,19 @@ git_off_t get_delta_base(
if (type == GIT_OBJ_OFS_DELTA) {
unsigned used = 0;
unsigned char c = base_info[used++];
- base_offset = c & 127;
+ size_t unsigned_base_offset = c & 127;
while (c & 128) {
if (left <= used)
return GIT_EBUFS;
- base_offset += 1;
- if (!base_offset || MSB(base_offset, 7))
+ unsigned_base_offset += 1;
+ if (!unsigned_base_offset || MSB(unsigned_base_offset, 7))
return 0; /* overflow */
c = base_info[used++];
- base_offset = (base_offset << 7) + (c & 127);
+ unsigned_base_offset = (unsigned_base_offset << 7) + (c & 127);
}
- base_offset = delta_obj_offset - base_offset;
- if (base_offset <= 0 || base_offset >= delta_obj_offset)
+ if (unsigned_base_offset == 0 || (size_t)delta_obj_offset <= unsigned_base_offset)
return 0; /* out of bound */
+ base_offset = delta_obj_offset - unsigned_base_offset;
*curpos += used;
} else if (type == GIT_OBJ_REF_DELTA) {
/* If we have the cooperative cache, search in it first */