Merge branch 'rs/nth-parent-parse'

The object name parser for "Nth parent" syntax has been made more
robust against integer overflows.

* rs/nth-parent-parse:
  sha1-name: check for overflow of N in "foo^N" and "foo~N"
  rev-parse: demonstrate overflow of N for "foo^N" and "foo~N"

2 files changed, 20 insertions, 3 deletions

diff --git a/sha1-name.c b/sha1-name.c
index c665e3f96d..7a047e9e2b 100644
--- a/sha1-name.c
+++ b/sha1-name.c
@@ -1160,13 +1160,22 @@ static enum get_oid_result get_oid_1(struct repository *r,
 	}
 
 	if (has_suffix) {
-		int num = 0;
+		unsigned int num = 0;
 		int len1 = cp - name;
 		cp++;
-		while (cp < name + len)
-			num = num * 10 + *cp++ - '0';
+		while (cp < name + len) {
+			unsigned int digit = *cp++ - '0';
+			if (unsigned_mult_overflows(num, 10))
+				return MISSING_OBJECT;
+			num *= 10;
+			if (unsigned_add_overflows(num, digit))
+				return MISSING_OBJECT;
+			num += digit;
+		}
 		if (!num && len1 == len - 1)
 			num = 1;
+		else if (num > INT_MAX)
+			return MISSING_OBJECT;
 		if (has_suffix == '^')
 			return get_parent(r, name, len1, oid, num);
 		/* else if (has_suffix == '~') -- goes without saying */
diff --git a/t/t1506-rev-parse-diagnosis.sh b/t/t1506-rev-parse-diagnosis.sh
index 21a9c8ffb2..624d0a588f 100755
--- a/t/t1506-rev-parse-diagnosis.sh
+++ b/t/t1506-rev-parse-diagnosis.sh
@@ -214,4 +214,12 @@ test_expect_success 'arg before dashdash must be a revision (ambiguous)' '
 	test_cmp expect actual
 '
 
+test_expect_success 'reject Nth parent if N is too high' '
+	test_must_fail git rev-parse HEAD^100000000000000000000000000000000
+'
+
+test_expect_success 'reject Nth ancestor if N is too high' '
+	test_must_fail git rev-parse HEAD~100000000000000000000000000000000
+'
+
 test_done