diff options
| author |  Jeff King <peff@peff.net> | 2018-06-14 23:44:43 -0400 |
|---|---|---|
| committer |  Junio C Hamano <gitster@pobox.com> | 2018-06-18 09:13:57 -0700 |
| commit | 1140bf01ecf4a49c32b3c385dd782cd183e730af (patch) | |
| tree | 9253363dc076c4cf88cc60b93d1706fd38f3f0c5 | |
| parent | ewah_read_mmap: bounds-check mmap reads (diff) | |
| download | tgif-1140bf01ecf4a49c32b3c385dd782cd183e730af.tar.xz | |
ewah: adjust callers of ewah_read_mmap()
The return value of ewah_read_mmap() is now an ssize_t,
since we could (in theory) process up to 32GB of data. This
would never happen in practice, but a corrupt or malicious
.bitmap or index file could convince us to do so.
Let's make sure that we don't stuff the value into an int,
which would cause us to incorrectly move our pointer
forward. We'd always move too little, since negative values
are used for reporting errors. So the worst case is just
that we end up reporting a corrupt file, not an
out-of-bounds read.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
| -rw-r--r-- | dir.c | 3 | ||||
| -rw-r--r-- | pack-bitmap.c | 2 |
2 files changed, 3 insertions, 2 deletions
@@ -2831,7 +2831,8 @@ struct untracked_cache *read_untracked_extension(const void *data, unsigned long struct read_data rd; const unsigned char *next = data, *end = (const unsigned char *)data + sz; const char *ident; - int ident_len, len; + int ident_len; + ssize_t len; const char *exclude_per_dir; if (sz <= 1 || end[-1] != '\0') diff --git a/pack-bitmap.c b/pack-bitmap.c index 9270983e5f..7e92d83195 100644 --- a/pack-bitmap.c +++ b/pack-bitmap.c @@ -118,7 +118,7 @@ static struct ewah_bitmap *read_bitmap_1(struct bitmap_index *index) { struct ewah_bitmap *b = ewah_pool_new(); - int bitmap_size = ewah_read_mmap(b, + ssize_t bitmap_size = ewah_read_mmap(b, index->map + index->map_pos, index->map_size - index->map_pos); |