[PATCH] apply: detect overflow when parsing hunk header

git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] apply: detect overflow when parsing hunk header
@ 2025-01-30 11:08 Phillip Wood via GitGitGadget
  2025-01-30 22:17 ` Junio C Hamano
  0 siblings, 1 reply; 2+ messages in thread
From: Phillip Wood via GitGitGadget @ 2025-01-30 11:08 UTC (permalink / raw)
  To: git; +Cc: Sören Krecker, Phillip Wood, Phillip Wood

From: Phillip Wood <phillip.wood@dunelm.org.uk>

"git apply" uses strtoul() to parse the numbers in the hunk header but
silently ignores overflows. As LONG_MAX is a legitimate return value for
strtoul() we need to set errno to zero before the call to strtoul() and
check that it is still zero afterwards. The error message we display is
not particularly helpful as it does not say what was wrong.  However, it
seems pretty unlikely that users are going to trigger this error in
practice and we can always improve it later if needed.

Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
---
    apply: detect overflow when parsing hunk header
    
    We should do something similar in "git add -p" but I'll wait to see what
    happens with
    https://lore.kernel.org/git/20250126125638.3089-2-soekkle@freenet.de/
    first

Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1858%2Fphillipwood%2Fapply-detect-hunk-header-overflow-v1
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1858/phillipwood/apply-detect-hunk-header-overflow-v1
Pull-Request: https://github.com/gitgitgadget/git/pull/1858

 apply.c               |  3 +++
 t/t4100-apply-stat.sh | 13 +++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/apply.c b/apply.c
index 4a7b6120ac8..b124678b93b 100644
--- a/apply.c
+++ b/apply.c
@@ -1423,7 +1423,10 @@ static int parse_num(const char *line, unsigned long *p)
 
 	if (!isdigit(*line))
 		return 0;
+	errno = 0;
 	*p = strtoul(line, &ptr, 10);
+	if (errno)
+		return 0;
 	return ptr - line;
 }
 
diff --git a/t/t4100-apply-stat.sh b/t/t4100-apply-stat.sh
index 146e73d8f55..a5664f3eb3c 100755
--- a/t/t4100-apply-stat.sh
+++ b/t/t4100-apply-stat.sh
@@ -38,4 +38,17 @@ incomplete (1)
 incomplete (2)
 EOF
 
+test_expect_success 'applying a hunk header which overflows fails' '
+	cat >patch <<-\EOF &&
+	diff -u a/file b/file
+	--- a/file
+	+++ b/file
+	@@ -98765432109876543210 +98765432109876543210 @@
+	-a
+	+b
+	EOF
+	test_must_fail git apply patch 2>err &&
+	echo "error: corrupt patch at line 4" >expect &&
+	test_cmp expect err
+'
 test_done

base-commit: fbe8d3079d4a96aeb4e4529cc93cc0043b759a05
-- 
gitgitgadget

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] apply: detect overflow when parsing hunk header
  2025-01-30 11:08 [PATCH] apply: detect overflow when parsing hunk header Phillip Wood via GitGitGadget
@ 2025-01-30 22:17 ` Junio C Hamano
  0 siblings, 0 replies; 2+ messages in thread
From: Junio C Hamano @ 2025-01-30 22:17 UTC (permalink / raw)
  To: Phillip Wood via GitGitGadget; +Cc: git, Sören Krecker, Phillip Wood

"Phillip Wood via GitGitGadget" <gitgitgadget@gmail.com> writes:

> From: Phillip Wood <phillip.wood@dunelm.org.uk>
>
> "git apply" uses strtoul() to parse the numbers in the hunk header but
> silently ignores overflows. As LONG_MAX is a legitimate return value for
> strtoul() we need to set errno to zero before the call to strtoul() and
> check that it is still zero afterwards. The error message we display is
> not particularly helpful as it does not say what was wrong.  However, it
> seems pretty unlikely that users are going to trigger this error in
> practice and we can always improve it later if needed.

Thanks.  We made an effort to use a type that is a bit wider than
"int", but we apparently ignored that the Git userbase will become a
lot wider some day and unfriendly and/or hostile folks would start
feeding malicious input to us X-<.  The check presented here look
good, and the fact that there was only one change needed shows how
well designed the base code was ;-)

Will queue.  Thanks.

> @@ -1423,7 +1423,10 @@ static int parse_num(const char *line, unsigned long *p)
>  
>  	if (!isdigit(*line))
>  		return 0;
> +	errno = 0;
>  	*p = strtoul(line, &ptr, 10);
> +	if (errno)
> +		return 0;
>  	return ptr - line;
>  }
>  
> diff --git a/t/t4100-apply-stat.sh b/t/t4100-apply-stat.sh
> index 146e73d8f55..a5664f3eb3c 100755
> --- a/t/t4100-apply-stat.sh
> +++ b/t/t4100-apply-stat.sh
> @@ -38,4 +38,17 @@ incomplete (1)
>  incomplete (2)
>  EOF
>  
> +test_expect_success 'applying a hunk header which overflows fails' '
> +	cat >patch <<-\EOF &&
> +	diff -u a/file b/file
> +	--- a/file
> +	+++ b/file
> +	@@ -98765432109876543210 +98765432109876543210 @@
> +	-a
> +	+b
> +	EOF
> +	test_must_fail git apply patch 2>err &&
> +	echo "error: corrupt patch at line 4" >expect &&
> +	test_cmp expect err
> +'
>  test_done
>
> base-commit: fbe8d3079d4a96aeb4e4529cc93cc0043b759a05

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-01-30 22:17 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-01-30 11:08 [PATCH] apply: detect overflow when parsing hunk header Phillip Wood via GitGitGadget
2025-01-30 22:17 ` Junio C Hamano

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).