On Wed, 2016-03-16 at 17:16 -0700, Jonathan Nieder wrote: > Ben Hutchings wrote: > > > > > I intend to NMU git to fix these bugs in unstable, as they make most of > > my development activity unsafe. > > > > git maintainers, please let me know if you're already preparing an > > update. > I'm already preparing an update.
Thanks. For what it's worth, I'm attaching my minimal fix for CVE-2016-2324. All existing tests pass, but I don't have a reproducer for the security issue so I can't be certain it's fixed. Ben. -- Ben Hutchings Absolutum obsoletum. (If it works, it's out of date.) - Stafford Beer
From: Ben Hutchings <b...@decadent.org.uk>
Date: Wed, 16 Mar 2016 23:53:59 +0000
Subject: Fix integer overflow in path_name() function
This addresses CVE-2016-2324, which was fixed upstream by commit
13528ab37cad ("list-objects: convert name_path to a strbuf").
Instead of making API changes, fix the type of name_path::elem_len to
be size_t and use the st_add*() functions to check for voerflow in
path_name().
show_path_component_truncated() currently returns a length derived
from name_path::elem_len *or* -1, but its caller only cares about
the sign of the result so squash the length to 0 or 1.
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
revision.c | 12 ++++++------
revision.h | 2 +-
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/revision.c b/revision.c
index df56fce..d4cb2e2 100644
--- a/revision.c
+++ b/revision.c
@@ -29,12 +29,12 @@ char *path_name(const struct name_path *path, const char *name)
{
const struct name_path *p;
char *n, *m;
- int nlen = strlen(name);
- int len = nlen + 1;
+ size_t nlen = strlen(name);
+ size_t len = st_add(nlen, 1);
for (p = path; p; p = p->up) {
if (p->elem_len)
- len += p->elem_len + 1;
+ len = st_add3(len, p->elem_len, 1);
}
n = xmalloc(len);
m = n + len - (nlen + 1);
@@ -49,16 +49,16 @@ char *path_name(const struct name_path *path, const char *name)
return n;
}
-static int show_path_component_truncated(FILE *out, const char *name, int len)
+static int show_path_component_truncated(FILE *out, const char *name, size_t len)
{
- int cnt;
+ size_t cnt;
for (cnt = 0; cnt < len; cnt++) {
int ch = name[cnt];
if (!ch || ch == '\n')
return -1;
fputc(ch, out);
}
- return len;
+ return !!len;
}
static int show_path_truncated(FILE *out, const struct name_path *path)
diff --git a/revision.h b/revision.h
index 23857c0..8e052c5 100644
--- a/revision.h
+++ b/revision.h
@@ -259,7 +259,7 @@ extern void mark_tree_uninteresting(struct tree *tree);
struct name_path {
struct name_path *up;
- int elem_len;
+ size_t elem_len;
const char *elem;
};
signature.asc
Description: This is a digitally signed message part
