* [BUG] Integer overflow bug in cache-tree.c
@ 2021-10-25 7:39 Yiyuan guo
0 siblings, 0 replies; only message in thread
From: Yiyuan guo @ 2021-10-25 7:39 UTC (permalink / raw)
To: git
In the file cache-tree.c, the function "static struct cache_tree
*read_one(const char **buffer, unsigned long *size_p)"
has the following code
(link:https://github.com/git/git/blob/9d530dc0024503ab4218fe6c4395b8a0aa245478/cache-tree.c#L592-#L593):
int subtree_nr;
subtree_nr = strtol(cp, &ep, 10);
it->subtree_alloc = subtree_nr + 2;
CALLOC_ARRAY(it->down, it->subtree_alloc);
The variable subtree_nr is converted from the string buffer. Suppose
it equals INT_MAX, the computation of
it->subtree_alloc can trigger a signed integer overflow, which is
later used to calculate allocation size.
This can cause security problems if the function do_read_index is
given a crafted index file.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-10-25 7:39 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-25 7:39 [BUG] Integer overflow bug in cache-tree.c Yiyuan guo
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).