thodg/libgit2

Browse

Commit a42e11aeaf5941f73daf45648e9f4ad511d834a6

lhchavez 2017-12-08T06:00:27

libFuzzer: Prevent a potential shift overflow The type of |base_offset| in get_delta_base() is `git_off_t`, which is a signed `long`. That means that we need to make sure that the 8 most significant bits are zero (instead of 7) to avoid an overflow when it is shifted by 7 bits. Found using libFuzzer. 

1
2
3
4
5
6
7
8
9
10
11
12
13

diff --git a/src/pack.c b/src/pack.c
index f8d0dc9..3e35503 100644
--- a/src/pack.c
+++ b/src/pack.c
@@ -939,7 +939,7 @@ git_off_t get_delta_base(
 			if (left <= used)
 				return GIT_EBUFS;
 			base_offset += 1;
-			if (!base_offset || MSB(base_offset, 7))
+			if (!base_offset || MSB(base_offset, 8))
 				return 0; /* overflow */
 			c = base_info[used++];
 			base_offset = (base_offset << 7) + (c & 127);
kmx.io     mail     discord kmxgit v0.4.0