From: Junio C Hamano <gitster@pobox.com>
To: "Phillip Wood via GitGitGadget" <gitgitgadget@gmail.com>
Cc: git@vger.kernel.org, "Sören Krecker" <soekkle@freenet.de>,
"Phillip Wood" <phillip.wood@dunelm.org.uk>
Subject: Re: [PATCH] apply: detect overflow when parsing hunk header
Date: Thu, 30 Jan 2025 14:17:48 -0800 [thread overview]
Message-ID: <xmqqh65gaqur.fsf@gitster.g> (raw)
In-Reply-To: <pull.1858.git.1738235310815.gitgitgadget@gmail.com> (Phillip Wood via GitGitGadget's message of "Thu, 30 Jan 2025 11:08:30 +0000")
"Phillip Wood via GitGitGadget" <gitgitgadget@gmail.com> writes:
> From: Phillip Wood <phillip.wood@dunelm.org.uk>
>
> "git apply" uses strtoul() to parse the numbers in the hunk header but
> silently ignores overflows. As LONG_MAX is a legitimate return value for
> strtoul() we need to set errno to zero before the call to strtoul() and
> check that it is still zero afterwards. The error message we display is
> not particularly helpful as it does not say what was wrong. However, it
> seems pretty unlikely that users are going to trigger this error in
> practice and we can always improve it later if needed.
Thanks. We made an effort to use a type that is a bit wider than
"int", but we apparently ignored that the Git userbase will become a
lot wider some day and unfriendly and/or hostile folks would start
feeding malicious input to us X-<. The check presented here look
good, and the fact that there was only one change needed shows how
well designed the base code was ;-)
Will queue. Thanks.
> @@ -1423,7 +1423,10 @@ static int parse_num(const char *line, unsigned long *p)
>
> if (!isdigit(*line))
> return 0;
> + errno = 0;
> *p = strtoul(line, &ptr, 10);
> + if (errno)
> + return 0;
> return ptr - line;
> }
>
> diff --git a/t/t4100-apply-stat.sh b/t/t4100-apply-stat.sh
> index 146e73d8f55..a5664f3eb3c 100755
> --- a/t/t4100-apply-stat.sh
> +++ b/t/t4100-apply-stat.sh
> @@ -38,4 +38,17 @@ incomplete (1)
> incomplete (2)
> EOF
>
> +test_expect_success 'applying a hunk header which overflows fails' '
> + cat >patch <<-\EOF &&
> + diff -u a/file b/file
> + --- a/file
> + +++ b/file
> + @@ -98765432109876543210 +98765432109876543210 @@
> + -a
> + +b
> + EOF
> + test_must_fail git apply patch 2>err &&
> + echo "error: corrupt patch at line 4" >expect &&
> + test_cmp expect err
> +'
> test_done
>
> base-commit: fbe8d3079d4a96aeb4e4529cc93cc0043b759a05
prev parent reply other threads:[~2025-01-30 22:17 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-30 11:08 [PATCH] apply: detect overflow when parsing hunk header Phillip Wood via GitGitGadget
2025-01-30 22:17 ` Junio C Hamano [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqh65gaqur.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=phillip.wood@dunelm.org.uk \
--cc=soekkle@freenet.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).