Merge pull request #4575 from pks-t/pks/index-secfixes-master Index parsing fixes
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104
diff --git a/src/index.c b/src/index.c
index d98872a..a867547 100644
--- a/src/index.c
+++ b/src/index.c
@@ -2299,8 +2299,9 @@ static size_t index_entry_size(size_t path_len, size_t varint_len, uint32_t flag
}
}
-static size_t read_entry(
+static int read_entry(
git_index_entry **out,
+ size_t *out_size,
git_index *index,
const void *buffer,
size_t buffer_size,
@@ -2314,7 +2315,7 @@ static size_t read_entry(
char *tmp_path = NULL;
if (INDEX_FOOTER_SIZE + minimal_entry_size > buffer_size)
- return 0;
+ return -1;
/* buffer is not guaranteed to be aligned */
memcpy(&source, buffer, sizeof(struct entry_short));
@@ -2356,7 +2357,7 @@ static size_t read_entry(
path_end = memchr(path_ptr, '\0', buffer_size);
if (path_end == NULL)
- return 0;
+ return -1;
path_length = path_end - path_ptr;
}
@@ -2364,19 +2365,24 @@ static size_t read_entry(
entry_size = index_entry_size(path_length, 0, entry.flags);
entry.path = (char *)path_ptr;
} else {
- size_t varint_len;
- size_t strip_len = git_decode_varint((const unsigned char *)path_ptr,
- &varint_len);
- size_t last_len = strlen(last);
- size_t prefix_len = last_len - strip_len;
- size_t suffix_len = strlen(path_ptr + varint_len);
- size_t path_len;
-
- if (varint_len == 0)
+ size_t varint_len, last_len, prefix_len, suffix_len, path_len;
+ uintmax_t strip_len;
+
+ strip_len = git_decode_varint((const unsigned char *)path_ptr, &varint_len);
+ last_len = strlen(last);
+
+ if (varint_len == 0 || last_len < strip_len)
return index_error_invalid("incorrect prefix length");
+ prefix_len = last_len - strip_len;
+ suffix_len = strlen(path_ptr + varint_len);
+
GITERR_CHECK_ALLOC_ADD(&path_len, prefix_len, suffix_len);
GITERR_CHECK_ALLOC_ADD(&path_len, path_len, 1);
+
+ if (path_len > GIT_PATH_MAX)
+ return index_error_invalid("unreasonable path length");
+
tmp_path = git__malloc(path_len);
GITERR_CHECK_ALLOC(tmp_path);
@@ -2386,16 +2392,20 @@ static size_t read_entry(
entry.path = tmp_path;
}
+ if (entry_size == 0)
+ return -1;
+
if (INDEX_FOOTER_SIZE + entry_size > buffer_size)
- return 0;
+ return -1;
if (index_entry_dup(out, index, &entry) < 0) {
git__free(tmp_path);
- return 0;
+ return -1;
}
git__free(tmp_path);
- return entry_size;
+ *out_size = entry_size;
+ return 0;
}
static int read_header(struct index_header *dest, const void *buffer)
@@ -2499,10 +2509,9 @@ static int parse_index(git_index *index, const char *buffer, size_t buffer_size)
/* Parse all the entries */
for (i = 0; i < header.entry_count && buffer_size > INDEX_FOOTER_SIZE; ++i) {
git_index_entry *entry = NULL;
- size_t entry_size = read_entry(&entry, index, buffer, buffer_size, last);
+ size_t entry_size;
- /* 0 bytes read means an object corruption */
- if (entry_size == 0) {
+ if ((error = read_entry(&entry, &entry_size, index, buffer, buffer_size, last)) < 0) {
error = index_error_invalid("invalid entry");
goto done;
}