summaryrefslogtreecommitdiff
path: root/builtin
diff options
context:
space:
mode:
authorLibravatar Jeff King <peff@peff.net>2016-02-25 09:22:52 -0500
committerLibravatar Junio C Hamano <gitster@pobox.com>2016-02-25 11:32:43 -0800
commit47fe3f6ef0f5a336db90d816c5fb4330ffa23668 (patch)
tree86425f817d2e2116956355c387cafd78b50e9877 /builtin
parentt5313: test bounds-checks of corrupted/malicious pack/idx files (diff)
downloadtgif-47fe3f6ef0f5a336db90d816c5fb4330ffa23668.tar.xz
nth_packed_object_offset: bounds-check extended offset
If a pack .idx file has a corrupted offset for an object, we may try to access an offset in the .idx or .pack file that is larger than the file's size. For the .pack case, we have use_pack() to protect us, which realizes the access is out of bounds. But if the corrupted value asks us to look in the .idx file's secondary 64-bit offset table, we blindly add it to the mmap'd index data and access arbitrary memory. We can fix this with a simple bounds-check compared to the size we found when we opened the .idx file. Note that there's similar code in index-pack that is triggered only during "index-pack --verify". To support both, we pull the bounds-check into a separate function, which dies when it sees a corrupted file. It would be nice if we could return an error, so that the pack code could try to find a good copy of the object elsewhere. Currently nth_packed_object_offset doesn't have any way to return an error, but it could probably use "0" as a sentinel value (since no object can start there). This is the minimal fix, and we can improve the resilience later on top. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'builtin')
-rw-r--r--builtin/index-pack.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/builtin/index-pack.c b/builtin/index-pack.c
index 723fe8e11d..98bdbb5e6c 100644
--- a/builtin/index-pack.c
+++ b/builtin/index-pack.c
@@ -1445,6 +1445,7 @@ static void read_v2_anomalous_offsets(struct packed_git *p,
if (!(off & 0x80000000))
continue;
off = off & 0x7fffffff;
+ check_pack_index_ptr(p, &idx2[off * 2]);
if (idx2[off * 2])
continue;
/*