From: Jeff King <peff@peff.net>
To: git@vger.kernel.org
Cc: Junio C Hamano <gitster@pobox.com>, Jacek Wielemborek <d33tah@gmail.com>
Subject: [PATCH 3/3] use_pack: handle signed off_t overflow
Date: Thu, 25 Feb 2016 09:23:26 -0500 [thread overview]
Message-ID: <20160225142326.GC17811@sigill.intra.peff.net> (raw)
In-Reply-To: <20160225142004.GA17678@sigill.intra.peff.net>
A v2 pack index file can specify an offset within a packfile
of up to 2^64-1 bytes. On a system with a signed 64-bit
off_t, we can represent only up to 2^63-1. This means that a
corrupted .idx file can end up with a negative offset in the
pack code. Our bounds-checking use_pack function looks for
too-large offsets, but not for ones that have wrapped around
to negative. Let's do so, which fixes an out-of-bounds
access demonstrated in t5313.
Signed-off-by: Jeff King <peff@peff.net>
---
sha1_file.c | 2 ++
t/t5313-pack-bounds-checks.sh | 2 +-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/sha1_file.c b/sha1_file.c
index d2ffd92..9d223e6 100644
--- a/sha1_file.c
+++ b/sha1_file.c
@@ -1076,6 +1076,8 @@ unsigned char *use_pack(struct packed_git *p,
die("packfile %s cannot be accessed", p->pack_name);
if (offset > (p->pack_size - 20))
die("offset beyond end of packfile (truncated pack?)");
+ if (offset < 0)
+ die("offset before end of packfile (broken .idx?)");
if (!win || !in_window(win, offset)) {
if (win)
diff --git a/t/t5313-pack-bounds-checks.sh b/t/t5313-pack-bounds-checks.sh
index 0717746..a8a587a 100755
--- a/t/t5313-pack-bounds-checks.sh
+++ b/t/t5313-pack-bounds-checks.sh
@@ -136,7 +136,7 @@ test_expect_success 'bogus offset into v2 extended table' '
test_must_fail git index-pack --verify $pack
'
-test_expect_failure 'bogus offset inside v2 extended table' '
+test_expect_success 'bogus offset inside v2 extended table' '
# We need two objects here, so we can plausibly require
# an extended table (if the first object were larger than 2^31).
do_pack "$object $(git rev-parse HEAD)" --index-version=2 &&
--
2.7.2.695.gf3fde8e
next prev parent reply other threads:[~2016-02-25 14:23 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-25 14:20 [PATCH 0/3] out-of-bounds access from corrupted .idx files Jeff King
2016-02-25 14:21 ` [PATCH 1/3] t5313: test bounds-checks of corrupted/malicious pack/idx files Jeff King
2016-02-25 19:12 ` Johannes Sixt
2016-02-25 20:31 ` Junio C Hamano
2016-02-25 22:07 ` Jeff King
2016-02-25 14:22 ` [PATCH 2/3] nth_packed_object_offset: bounds-check extended offset Jeff King
2016-02-25 14:23 ` Jeff King [this message]
2016-02-27 7:49 ` [PATCH 4/3] sha1_file.c: mark strings for translation Nguyễn Thái Ngọc Duy
2016-02-27 17:41 ` Junio C Hamano
2016-02-27 18:25 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160225142326.GC17811@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=d33tah@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).