From abe27c0cbd97bf6a693004ddb411392ed596a853 Mon Sep 17 00:00:00 2001 From: Jonathan Nieder Date: Fri, 27 May 2011 05:18:33 -0500 Subject: [PATCH] vcs-svn: guard against overflow when computing preimage length Signed integer overflow produces undefined behavior in C and off_t is a signed type. For predictable behavior, add some checks to protect in advance against overflow. On 32-bit systems ftell as called by buffer_tmpfile_prepare_to_read is likely to fail with EOVERFLOW when reading the corresponding postimage, and this patch does not fix that. So it's more of a futureproofing measure than a complete fix. Signed-off-by: Jonathan Nieder --- vcs-svn/fast_export.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/vcs-svn/fast_export.c b/vcs-svn/fast_export.c index edc658d4f..96a75d51d 100644 --- a/vcs-svn/fast_export.c +++ b/vcs-svn/fast_export.c @@ -166,6 +166,7 @@ static int ends_with(const char *s, size_t len, const char *suffix) static int parse_cat_response_line(const char *header, off_t *len) { size_t headerlen = strlen(header); + uintmax_t n; const char *type; const char *end; @@ -174,14 +175,25 @@ static int parse_cat_response_line(const char *header, off_t *len) type = memmem(header, headerlen, " blob ", strlen(" blob ")); if (!type) return error("cat-blob header has wrong object type: %s", header); - *len = strtoumax(type + strlen(" blob "), (char **) &end, 10); + n = strtoumax(type + strlen(" blob "), (char **) &end, 10); if (end == type + strlen(" blob ")) return error("cat-blob header does not contain length: %s", header); + if (memchr(type + strlen(" blob "), '-', end - type - strlen(" blob "))) + return error("cat-blob header contains negative length: %s", header); + if (n == UINTMAX_MAX || n > maximum_signed_value_of_type(off_t)) + return error("blob too large for current definition of off_t"); + *len = n; if (*end) return error("cat-blob header contains garbage after length: %s", header); return 0; } +static void check_preimage_overflow(off_t a, off_t b) +{ + if (signed_add_overflows(a, b)) + die("blob too large for current definition of off_t"); +} + static long apply_delta(off_t len, struct line_buffer *input, const char *old_data, uint32_t old_mode) { @@ -204,6 +216,7 @@ static long apply_delta(off_t len, struct line_buffer *input, } if (old_mode == REPO_MODE_LNK) { strbuf_addstr(&preimage.buf, "link "); + check_preimage_overflow(preimage_len, strlen("link ")); preimage_len += strlen("link "); } if (svndiff0_apply(input, len, &preimage, out)) -- 2.26.2