From: Junio C Hamano <gitster@pobox.com>
To: Jonathan Tan <jonathantanmy@google.com>
Cc: git@vger.kernel.org
Subject: Re: [PATCH] packfile: avoid overflowing shift during decode
Date: Wed, 10 Nov 2021 17:58:08 -0800 [thread overview]
Message-ID: <xmqqpmr7v4gf.fsf@gitster.g> (raw)
In-Reply-To: 20211110234033.3144165-1-jonathantanmy@google.com
Jonathan Tan <jonathantanmy@google.com> writes:
> situation by dying if the left shift overflows, but this patch is still
> worthwhile as it makes a bad header be reported as a bad header, not a
> fatal left shift overflow.
Hmph, I am not sure if I like to see it put that way, but I think
the problem is not anything new.
Even when we have a packfile that is in a good shape, the current
machine (especially its wordsize) may not be capable of extracting
the object we are looking at from the packstream, when the object is
larger than the current machine's ulong can express. So it may be
an indication that your machine cannot use the packed object, but
may not be an indication that there is anything _wrong_ in the
object header.
Side note. I suspect that this should already be the case; you
can pack a large object whose size do not fit in u32 on a box
whose ulong is u64, and you wouldn't be able to use such a
packfile on a box where ulong is u32. There is no "bad object
header" in the pack stream per-se, but we cannot use it there.
After all, the reason why we chose to use the varint encoding is
because we do not have to change the file format when we extend
beyond the architectures of prevailing word size of the day.
Having said all that, I think the patch is correct. We later use
the number "shift" as the shift count like so
size += (c & 0x7f) << shift;
In order for the uppermost bit from (c & 0x7f) to be still inside
"size", it is not sufficient that "shift" does not exceed the
bit-size of "size". We need to subtract the bitscanreverse of
(0x7f), which is 7, which is exactly what your patch does.
Looking good. Thanks.
> packfile.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/packfile.c b/packfile.c
> index 89402cfc69..972c327e29 100644
> --- a/packfile.c
> +++ b/packfile.c
> @@ -1068,7 +1068,7 @@ unsigned long unpack_object_header_buffer(const unsigned char *buf,
> size = c & 15;
> shift = 4;
> while (c & 0x80) {
> - if (len <= used || bitsizeof(long) <= shift) {
> + if (len <= used || (bitsizeof(long) - 7) <= shift) {
> error("bad object header");
> size = used = 0;
> break;
next prev parent reply other threads:[~2021-11-11 1:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-10 23:40 [PATCH] packfile: avoid overflowing shift during decode Jonathan Tan
2021-11-11 1:58 ` Junio C Hamano [this message]
2022-01-10 23:22 ` Marc Strapetz
2022-01-12 20:06 ` Junio C Hamano
2022-01-12 20:12 ` Junio C Hamano
2022-01-12 20:27 ` Jonathan Tan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqpmr7v4gf.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=jonathantanmy@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).