undef/git-commit-vandalism
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7202a6fa87
git-commit-vandalism/builtin
History
Jeff King 7202a6fa87 encode_in_pack_object_header: respect output buffer length 
The encode_in_pack_object_header() writes a variable-length
header to an output buffer, but it doesn't actually know
long the buffer is. At first glance, this looks like it
might be possible to overflow.

In practice, this is probably impossible. The smallest
buffer we use is 10 bytes, which would hold the header for
an object up to 2^67 bytes. Obviously we're not likely to
see such an object, but we might worry that an object could
lie about its size (causing us to overflow before we realize
it does not actually have that many bytes). But the argument
is passed as a uintmax_t. Even on systems that have __int128
available, uintmax_t is typically restricted to 64-bit by
the ABI.

So it's unlikely that a system exists where this could be
exploited. Still, it's easy enough to use a normal out/len
pair and make sure we don't write too far. That protects the
hypothetical 128-bit system, makes it harder for callers to
accidentally specify a too-small buffer, and makes the
resulting code easier to audit.

Note that the one caller in fast-import tried to catch such
a case, but did so _after_ the call (at which point we'd
have already overflowed!). This check can now go away.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-24 12:34:07 -07:00
..
add.c hold_locked_index(): align error handling with hold_lockfile_for_update() 2016-12-07 11:31:59 -08:00
am.c Merge branch 'sb/sequencer-abort-safety' 2016-12-21 14:55:01 -08:00
annotate.c
apply.c Convert read_mmblob to take struct object_id. 2016-09-07 12:59:42 -07:00
archive.c archive: read local configuration 2016-11-22 13:55:20 -08:00
bisect--helper.c
blame.c Merge branch 'jk/blame-fixes' into maint 2017-01-31 13:32:07 -08:00
branch.c Merge branch 'nd/for-each-ref-ignore-case' 2016-12-19 14:45:31 -08:00
bundle.c
cat-file.c Merge branch 'jk/pack-objects-optim-mru' 2016-10-10 14:03:47 -07:00
check-attr.c give "nbuf" strbuf a more meaningful name 2016-02-01 13:43:02 -08:00
check-ignore.c give "nbuf" strbuf a more meaningful name 2016-02-01 13:43:02 -08:00
check-mailmap.c strbuf: introduce strbuf_getline_{lf,nul}() 2016-01-15 10:12:51 -08:00
check-ref-format.c use xmallocz to avoid size arithmetic 2016-02-22 14:51:09 -08:00
checkout-index.c hold_locked_index(): align error handling with hold_lockfile_for_update() 2016-12-07 11:31:59 -08:00
checkout.c Merge branch 'cw/log-updates-for-all-refs-really' 2017-02-03 11:25:19 -08:00
clean.c i18n: clean.c: match string with git-add--interactive.perl 2016-12-14 11:00:05 -08:00
clone.c Merge branch 'rs/absolute-pathdup' 2017-02-02 13:36:55 -08:00
column.c column: read lines with strbuf_getline() 2016-01-15 10:35:07 -08:00
commit-tree.c builtin/commit-tree: convert to struct object_id 2016-09-07 12:59:43 -07:00
commit.c builtin/commit.c: switch to strbuf, instead of snprintf() 2017-01-31 10:09:00 -08:00
config.c i18n: config: mark error message for translation 2016-09-15 13:17:32 -07:00
count-objects.c alternates: use fspathcmp to detect duplicates 2016-10-10 13:52:37 -07:00
credential.c
describe.c use QSORT 2016-09-29 15:42:18 -07:00
diff-files.c diff: run arguments through precompose_argv 2016-05-13 14:35:49 -07:00
diff-index.c diff: run arguments through precompose_argv 2016-05-13 14:35:49 -07:00
diff-tree.c use SWAP macro 2017-01-30 14:17:00 -08:00
diff.c use SWAP macro 2017-01-30 14:17:00 -08:00
difftool.c difftool: fix bug when printing usage 2017-02-06 10:13:48 -08:00
fast-export.c use QSORT 2016-09-29 15:42:18 -07:00
fetch-pack.c Merge branch 'nd/shallow-deepen' 2016-10-10 14:03:50 -07:00
fetch.c Merge branch 'js/remote-rename-with-half-configured-remote' 2017-01-31 13:14:59 -08:00
fmt-merge-msg.c remove unnecessary check before QSORT 2016-09-29 15:42:18 -07:00
for-each-ref.c tag, branch, for-each-ref: add --ignore-case for sorting and filtering 2016-12-05 14:59:29 -08:00
fsck.c Merge branch 'jk/fsck-connectivity-check-fix' 2017-01-31 13:15:01 -08:00
gc.c gc: ignore old gc.log files 2017-02-13 15:19:11 -08:00
get-tar-commit-id.c usage: do not insist that standard input must come from a file 2015-10-16 15:27:52 -07:00
grep.c grep: search history of moved submodules 2016-12-22 11:47:33 -08:00
hash-object.c hash-object: always try to set up the git repository 2016-09-13 15:45:45 -07:00
help.c Merge branch 'js/no-html-bypass-on-windows' into maint 2016-09-08 21:35:55 -07:00
index-pack.c index-pack: skip collision check when not in repository 2016-12-16 13:57:19 -08:00
init-db.c real_pathdup(): fix callsites that wanted it to die on error 2017-03-08 14:38:41 -08:00
interpret-trailers.c Merge branch 'jk/parseopt-string-list' into jk/string-list-static-init 2016-06-13 10:37:48 -07:00
log.c Merge branch 'jt/format-patch-rfc' 2016-09-26 16:09:17 -07:00
ls-files.c ls-files: move only kept cache entries in prune_cache() 2017-02-13 12:06:10 -08:00
ls-remote.c ls-remote: add support for showing symrefs 2016-01-19 10:07:56 -08:00
ls-tree.c ls-tree: convert show_recursive to use the pathspec struct interface 2017-01-08 18:04:17 -08:00
mailinfo.c mailinfo: read local configuration 2016-11-22 13:13:16 -08:00
mailsplit.c mailsplit: support unescaping mboxrd messages 2016-06-06 11:14:43 -07:00
merge-base.c merge-base: handle --fork-point without reflog 2016-10-12 14:30:16 -07:00
merge-file.c builtin/merge-file.c: use error_errno() 2016-05-09 12:29:08 -07:00
merge-index.c use oid_to_hex_r() for converting struct object_id hashes to hex strings 2017-01-30 14:23:40 -08:00
merge-ours.c
merge-recursive.c i18n: merge-recursive: mark verbose message for translation 2016-09-15 13:17:32 -07:00
merge-tree.c struct name_entry: use struct object_id instead of unsigned char sha1[20] 2016-04-25 14:23:42 -07:00
merge.c Merge branch 'cp/merge-continue' 2016-12-27 00:11:41 -08:00
mktag.c usage: do not insist that standard input must come from a file 2015-10-16 15:27:52 -07:00
mktree.c use QSORT 2016-09-29 15:42:18 -07:00
mv.c Merge branch 'bw/pathspec-cleanup' 2017-01-18 15:12:15 -08:00
name-rev.c use QSORT 2016-09-29 15:42:18 -07:00
notes.c notes: spell first word of error messages in lowercase 2016-09-15 13:17:32 -07:00
pack-objects.c encode_in_pack_object_header: respect output buffer length 2017-03-24 12:34:07 -07:00
pack-redundant.c convert trivial cases to ALLOC_ARRAY 2016-02-22 14:51:09 -08:00
pack-refs.c
patch-id.c Merge branch 'rs/patch-id-use-skip-prefix' 2016-06-03 14:38:03 -07:00
prune-packed.c
prune.c Merge branch 'jk/repository-extension' into maint 2015-11-03 15:32:25 -08:00
pull.c Merge branch 'jc/pull-rebase-ff' into maint 2017-01-17 15:11:05 -08:00
push.c Merge branch 'bw/push-submodule-only' 2017-01-31 13:14:56 -08:00
read-tree.c read-tree: use OPT_BOOL instead of OPT_SET_INT 2017-01-11 13:17:16 -08:00
receive-pack.c Merge branch 'rs/receive-pack-cleanup' 2017-02-02 13:36:57 -08:00
reflog.c struct name_entry: use struct object_id instead of unsigned char sha1[20] 2016-04-25 14:23:42 -07:00
remote-ext.c pkt-line: rename packet_write() to packet_write_fmt() 2016-10-17 11:36:50 -07:00
remote-fd.c
remote.c Merge branch 'rl/remote-allow-missing-branch-name-merge' into maint 2017-03-21 15:03:28 -07:00
repack.c repack: die on incremental + write-bitmap-index 2016-12-29 13:45:37 -08:00
replace.c Merge branch 'js/replace-edit-use-editor-configuration' into maint 2016-05-06 14:53:24 -07:00
rerere.c Sync with 2.6.1 2015-10-05 13:20:08 -07:00
reset.c hold_locked_index(): align error handling with hold_lockfile_for_update() 2016-12-07 11:31:59 -08:00
rev-list.c use oid_to_hex_r() for converting struct object_id hashes to hex strings 2017-01-30 14:23:40 -08:00
rev-parse.c Merge branch 'jk/rev-parse-symbolic-parents-fix' into maint 2017-01-17 14:49:26 -08:00
revert.c sequencer: get rid of the subcommand field 2016-10-21 09:32:34 -07:00
rm.c rm: reuse strbuf for all remove_dir_recursively() calls, again 2017-02-13 14:33:32 -08:00
send-pack.c Merge branch 'sk/send-pack-all-fix' into maint 2016-04-29 14:15:57 -07:00
shortlog.c shortlog: group by committer information 2016-12-15 16:19:13 -08:00
show-branch.c Merge branch 'jk/show-branch-lift-name-len-limit' into maint 2017-03-21 15:03:29 -07:00
show-ref.c show-ref: remove a stale comment 2017-01-23 18:51:56 -08:00
stripspace.c stripspace: respect repository config 2016-11-21 11:00:38 -08:00
submodule--helper.c Merge branch 'rs/absolute-pathdup' 2017-02-02 13:36:55 -08:00
symbolic-ref.c symbolic-ref -d: do not allow removal of HEAD 2016-09-02 09:01:38 -07:00
tag.c Merge branch 'st/verify-tag' 2017-01-31 13:14:58 -08:00
unpack-file.c convert trivial sprintf / strcpy calls to xsnprintf 2015-09-25 10:18:18 -07:00
unpack-objects.c unpack-objects: add --max-input-size=<size> option 2016-08-24 12:31:05 -07:00
update-index.c hold_locked_index(): align error handling with hold_lockfile_for_update() 2016-12-07 11:31:59 -08:00
update-ref.c
update-server-info.c
upload-archive.c archive: read local configuration 2016-11-22 13:55:20 -08:00
var.c
verify-commit.c
verify-pack.c
verify-tag.c builtin/verify-tag: add --format to verify-tag 2017-01-17 16:10:22 -08:00
worktree.c Merge branch 'ps/worktree-prune-help-fix' 2017-02-10 12:52:25 -08:00
write-tree.c