File libgit2-boo1100612-bounds-check.patch of Package libgit2.9827

Overview Repositories Revisions Requests Users Attributes Meta

File libgit2-boo1100612-bounds-check.patch of Package libgit2.9827

From 25d4a8c9c4a3059c7b473b43dbd5ad391fe2660a Mon Sep 17 00:00:00 2001
From: Patrick Steinhardt <ps@pks.im>
Date: Fri, 29 Jun 2018 09:11:02 +0200
Subject: [PATCH] delta: fix out-of-bounds read of delta

When computing the offset and length of the delta base, we repeatedly
increment the `delta` pointer without checking whether we have advanced
past its end already, which can thus result in an out-of-bounds read.
Fix this by repeatedly checking whether we have reached the end. Add a
test which would cause Valgrind to produce an error.

Reported-by: Riccardo Schirone <rschiron@redhat.com>
Test-provided-by: Riccardo Schirone <rschiron@redhat.com>

Backported by Mike Gorse <mgorse@suse.com>
---
diff -urpN libgit2-0.24.1.orig/src/delta-apply.c libgit2-0.24.1/src/delta-apply.c
--- libgit2-0.24.1.orig/src/delta-apply.c	2018-12-10 18:05:04.997564296 -0600
+++ libgit2-0.24.1/src/delta-apply.c	2018-12-10 18:05:25.333663700 -0600
@@ -89,15 +89,17 @@ int git__delta_apply(
 			/* cmd is a copy instruction; copy from the base. */
 			size_t off = 0, len = 0;
 
-			if (cmd & 0x01) off = *delta++;
-			if (cmd & 0x02) off |= *delta++ << 8;
-			if (cmd & 0x04) off |= *delta++ << 16;
-			if (cmd & 0x08) off |= ((unsigned) *delta++ << 24UL);
+#define ADD_DELTA(o, shift) { if (delta < delta_end) (o) |= ((unsigned) *delta++ << shift); else goto fail; }
+			if (cmd & 0x01) ADD_DELTA(off, 0UL);
+			if (cmd & 0x02) ADD_DELTA(off, 8UL);
+			if (cmd & 0x04) ADD_DELTA(off, 16UL);
+			if (cmd & 0x08) ADD_DELTA(off, 24UL);
 
-			if (cmd & 0x10) len = *delta++;
-			if (cmd & 0x20) len |= *delta++ << 8;
-			if (cmd & 0x40) len |= *delta++ << 16;
+			if (cmd & 0x10) ADD_DELTA(len, 0UL);
+			if (cmd & 0x20) ADD_DELTA(len, 8UL);
+			if (cmd & 0x40) ADD_DELTA(len, 16UL);
 			if (!len)       len = 0x10000;
+#undef ADD_DELTA
 
 			if (base_len < off + len || res_sz < len)
 				goto fail;
diff -urpN libgit2-0.24.1.orig/tests/delta/apply.c libgit2-0.24.1/tests/delta/apply.c
--- libgit2-0.24.1.orig/tests/delta/apply.c	2018-12-10 18:05:04.997564296 -0600
+++ libgit2-0.24.1/tests/delta/apply.c	2018-12-10 18:06:02.429845045 -0600
@@ -14,3 +14,15 @@ void test_delta_apply__read_at_off(void)
 
 	cl_git_fail(git__delta_apply(&obj, base, sizeof(base), delta, sizeof(delta)));
 }
+
+void test_delta_apply__read_after_limit(void)
+{
+	unsigned char base[16] = { 0 }, delta[] = { 0x10, 0x70, 0xff };
+	git_rawobj obj;
+
+	obj.data = NULL;
+	obj.len = 0;
+	obj.type = GIT_OBJ_BAD;
+
+	cl_git_fail(git__delta_apply(&obj, base, sizeof(base), delta, sizeof(delta)));
+}

Places

File libgit2-boo1100612-bounds-check.patch of Package libgit2.9827

Places