From: Junio C Hamano <gitster@pobox.com>
To: "Phillip Wood via GitGitGadget" <gitgitgadget@gmail.com>
Cc: git@vger.kernel.org, "Sören Krecker" <soekkle@freenet.de>,
"Phillip Wood" <phillip.wood@dunelm.org.uk>
Subject: Re: [PATCH] apply: detect overflow when parsing hunk header
Date: Thu, 30 Jan 2025 14:17:48 -0800 [thread overview]
Message-ID: <xmqqh65gaqur.fsf@gitster.g> (raw)
In-Reply-To: <pull.1858.git.1738235310815.gitgitgadget@gmail.com> (Phillip Wood via GitGitGadget's message of "Thu, 30 Jan 2025 11:08:30 +0000")
"Phillip Wood via GitGitGadget" <gitgitgadget@gmail.com> writes:
> From: Phillip Wood <phillip.wood@dunelm.org.uk>
>
> "git apply" uses strtoul() to parse the numbers in the hunk header but
> silently ignores overflows. As LONG_MAX is a legitimate return value for
> strtoul() we need to set errno to zero before the call to strtoul() and
> check that it is still zero afterwards. The error message we display is
> not particularly helpful as it does not say what was wrong. However, it
> seems pretty unlikely that users are going to trigger this error in
> practice and we can always improve it later if needed.
Thanks. We made an effort to use a type that is a bit wider than
"int", but we apparently ignored that the Git userbase will become a
lot wider some day and unfriendly and/or hostile folks would start
feeding malicious input to us X-<. The check presented here look
good, and the fact that there was only one change needed shows how
well designed the base code was ;-)
Will queue. Thanks.
> @@ -1423,7 +1423,10 @@ static int parse_num(const char *line, unsigned long *p)
>
> if (!isdigit(*line))
> return 0;
> + errno = 0;
> *p = strtoul(line, &ptr, 10);
> + if (errno)
> + return 0;
> return ptr - line;
> }
>
> diff --git a/t/t4100-apply-stat.sh b/t/t4100-apply-stat.sh
> index 146e73d8f55..a5664f3eb3c 100755
> --- a/t/t4100-apply-stat.sh
> +++ b/t/t4100-apply-stat.sh
> @@ -38,4 +38,17 @@ incomplete (1)
> incomplete (2)
> EOF
>
> +test_expect_success 'applying a hunk header which overflows fails' '
> + cat >patch <<-\EOF &&
> + diff -u a/file b/file
> + --- a/file
> + +++ b/file
> + @@ -98765432109876543210 +98765432109876543210 @@
> + -a
> + +b
> + EOF
> + test_must_fail git apply patch 2>err &&
> + echo "error: corrupt patch at line 4" >expect &&
> + test_cmp expect err
> +'
> test_done
>
> base-commit: fbe8d3079d4a96aeb4e4529cc93cc0043b759a05
prev parent reply other threads:[~2025-01-30 22:17 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-30 11:08 [PATCH] apply: detect overflow when parsing hunk header Phillip Wood via GitGitGadget
2025-01-30 22:17 ` Junio C Hamano [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqh65gaqur.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=phillip.wood@dunelm.org.uk \
--cc=soekkle@freenet.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.