aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIngo Molnar <mingo@elte.hu>2005-04-14 13:18:19 +0200
committerPetr Baudis <xpasky@machine.sinus.cz>2005-05-11 22:43:24 +0200
commitcb1da3a794fb384cab6a515afc008991e180831e (patch)
treed9f6c8120f0ab4b73af5fb35b77b2b4b1d71cd3e
parent071c41a047e4c851836669648716e361f8e0b5ad (diff)
downloadgit-cb1da3a794fb384cab6a515afc008991e180831e.tar.gz
git-cb1da3a794fb384cab6a515afc008991e180831e.tar.xz
[patch] git: fix overflow in update-cache.c
this patch fixes a 1-byte overflow in update-cache.c (probably not exploitable). A specially crafted db object might trigger this overflow. the bug is that normally the 'type' field is parsed by read_sha1_file(), via: if (sscanf(buffer, "%10s %lu", type, size) != 2) i.e. 0-10 long strings, which take 1-11 bytes of space. Normally the type strings are stored in char [20] arrays, but in update-cache.c that is char [10], so a 1 byte overflow might occur. This should not happen with a 'friendly' DB, as the longest type string ("commit") is 7 bytes long. The fix is to use the customary char [20]. (someone might want to clean those open-coded constants up with a TYPE_LEN define, they do tend to cause problems like this. I'm not against open-coded constants (they make code much more readable), but for fields that get filled in from possibly hostile objects this is playing with fire.) hey, this might be the first true security fix for GIT? ;-) Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Petr Baudis <pasky@ucw.cz>
-rw-r--r--update-cache.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/update-cache.c b/update-cache.c
index d7caed64f..3b44fe14e 100644
--- a/update-cache.c
+++ b/update-cache.c
@@ -131,7 +131,7 @@ static int compare_data(struct cache_entry *ce, unsigned long expected_size)
if (fd >= 0) {
void *buffer;
unsigned long size;
- char type[10];
+ char type[20];
buffer = read_sha1_file(ce->sha1, type, &size);
if (buffer) {