index: error out on unreasonable prefix-compressed path lengths When computing the complete path length from the encoded prefix-compressed path, we end up just allocating the complete path without ever checking what the encoded path length actually is. This can easily lead to a denial of service by just encoding an unreasonable long path name inside of the index. Git already enforces a maximum path length of 4096 bytes. As we also have that enforcement ready in some places, just make sure that the resulting path is smaller than GIT_PATH_MAX. Reported-by: Krishna Ram Prakash R <krp@gtux.in> Reported-by: Vivek Parikh <viv0411.parikh@gmail.com>
diff --git a/src/index.c b/src/index.c
index 6bbdf06..3ce7b0f 100644
--- a/src/index.c
+++ b/src/index.c
@@ -2375,6 +2375,10 @@ static int read_entry(
GITERR_CHECK_ALLOC_ADD(&path_len, prefix_len, suffix_len);
GITERR_CHECK_ALLOC_ADD(&path_len, path_len, 1);
+
+ if (path_len > GIT_PATH_MAX)
+ return index_error_invalid("unreasonable path length");
+
tmp_path = git__malloc(path_len);
GITERR_CHECK_ALLOC(tmp_path);