summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLibravatar Jeff King <peff@peff.net>2019-04-18 17:17:02 -0400
committerLibravatar Junio C Hamano <gitster@pobox.com>2019-04-19 14:27:07 +0900
commitc6909f9959d394db8b76f08a6e59e5a82dade07a (patch)
treed0162569131416fdc380f1d5c3d806db7f74ffea
parentuntracked cache: fix off-by-one (diff)
downloadtgif-c6909f9959d394db8b76f08a6e59e5a82dade07a.tar.xz
untracked-cache: be defensive about missing NULs in index
The on-disk format for the untracked-cache extension contains NUL-terminated filenames. We parse these from the mmap'd file using string functions like strlen(). This works fine in the normal case, but if we see a malformed or corrupted index, we might read off the end of our mmap. Instead, let's use memchr() to find the trailing NUL within the bytes we know are available, and return an error if it's missing. Note that we can further simplify by folding another range check into our conditional. After we find the end of the string, we set "next" to the byte after the string and treat it as an error if there are no such bytes left. That saves us from having to do a range check at the beginning of each subsequent string (and works because there is always data after each string). We can do both range checks together by checking "!eos" (we didn't find a NUL) and "eos == end" (it was on the last available byte, meaning there's nothing after). This replaces the existing "next > end" checks. Note also that the decode_varint() calls have a similar problem (we don't even pass them "end"; they just keep parsing). These are probably OK in practice since varints have a finite length (we stop parsing when we'd overflow a uintmax_t), so the worst case is that we'd overflow into reading the trailing bytes of the index. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
-rw-r--r--dir.c18
1 files changed, 11 insertions, 7 deletions
diff --git a/dir.c b/dir.c
index f5293a6536..7b0513c476 100644
--- a/dir.c
+++ b/dir.c
@@ -2733,6 +2733,7 @@ static int read_one_dir(struct untracked_cache_dir **untracked_,
{
struct untracked_cache_dir ud, *untracked;
const unsigned char *next, *data = rd->data, *end = rd->end;
+ const unsigned char *eos;
unsigned int value;
int i, len;
@@ -2756,21 +2757,24 @@ static int read_one_dir(struct untracked_cache_dir **untracked_,
ALLOC_ARRAY(ud.dirs, ud.dirs_nr);
data = next;
- len = strlen((const char *)data);
- next = data + len + 1;
- if (next > rd->end)
+ eos = memchr(data, '\0', end - data);
+ if (!eos || eos == end)
return -1;
+ len = eos - data;
+ next = eos + 1;
+
*untracked_ = untracked = xmalloc(st_add3(sizeof(*untracked), len, 1));
memcpy(untracked, &ud, sizeof(ud));
memcpy(untracked->name, data, len + 1);
data = next;
for (i = 0; i < untracked->untracked_nr; i++) {
- len = strlen((const char *)data);
- next = data + len + 1;
- if (next > rd->end)
+ eos = memchr(data, '\0', end - data);
+ if (!eos || eos == end)
return -1;
- untracked->untracked[i] = xstrdup((const char*)data);
+ len = eos - data;
+ next = eos + 1;
+ untracked->untracked[i] = xmemdupz(data, len);
data = next;
}