thodg/libgit2

Browse

Commit b16692faa3c39f8342f40ad14c70480b9126614b

Kirill A. Shutemov 2011-07-12T20:29:12

index: fix potential overflow mode field of git_index_entry_unmerged is array of unsigned ints. It's unsafe to cast pointer to an element of the array to long int *. It may cause overflow in git_strtol32(). Signed-off-by: Kirill A. Shutemov <kirill@shutemov.name> 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

diff --git a/src/index.c b/src/index.c
index dc5024f..75471e5 100644
--- a/src/index.c
+++ b/src/index.c
@@ -657,10 +657,14 @@ static int read_unmerged(git_index *index, const char *buffer, size_t size)
 		buffer += len;
 
 		for (i = 0; i < 3; i++) {
-			if (git__strtol32((long int *) &lost->mode[i], buffer, &endptr, 8) < GIT_SUCCESS ||
-				!endptr || endptr == buffer || *endptr)
+			long tmp;
+
+			if (git__strtol32(&tmp, buffer, &endptr, 8) < GIT_SUCCESS ||
+				!endptr || endptr == buffer || *endptr || tmp > UINT_MAX)
 				return GIT_ERROR;
 
+			lost->mode[i] = tmp;
+
 			len = (endptr + 1) - buffer;
 			if (size <= len)
 				return git__throw(GIT_ERROR, "Failed to read unmerged entries");
kmx.io     mail     discord kmxgit v0.4.0