diff options
| author |  Jann Horn <jannh@google.com> | 2018-08-30 03:09:45 -0400 |
|---|---|---|
| committer |  Junio C Hamano <gitster@pobox.com> | 2018-08-30 10:30:22 -0700 |
| commit | 21870efc4aab4732ba2c422ef116597c54e4a8ec (patch) | |
| tree | 26867e6b0d64b7a49c4d73bf8760e54385085a32 /Documentation/RelNotes/2.2.2.txt | |
| parent | t5303: test some corrupt deltas (diff) | |
| download | tgif-21870efc4aab4732ba2c422ef116597c54e4a8ec.tar.xz | |
patch-delta: fix oob read
If `cmd` is in the range [0x01,0x7f] and `cmd > top-data`, the
`memcpy(out, data, cmd)` can copy out-of-bounds data from after `delta_buf`
into `dst_buf`.
This is not an exploitable bug because triggering the bug increments the
`data` pointer beyond `top`, causing the `data != top` sanity check after
the loop to trigger and discard the destination buffer - which means that
the result of the out-of-bounds read is never used for anything.
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Jeff King <peff@peff.net>
Reviewed-by: Nicolas Pitre <nico@fluxnic.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'Documentation/RelNotes/2.2.2.txt')
0 files changed, 0 insertions, 0 deletions