aboutsummaryrefslogtreecommitdiff
path: root/vcs-svn/fast_export.c
diff options
context:
space:
mode:
authorJonathan Nieder <jrnieder@gmail.com>2011-05-27 05:18:33 -0500
committerJonathan Nieder <jrnieder@gmail.com>2011-06-15 02:32:50 -0500
commitabe27c0cbd97bf6a693004ddb411392ed596a853 (patch)
treee1ec602814a171bdb4ea8bfaedf75faaea5aa615 /vcs-svn/fast_export.c
parent157415a9a9589a1e8af28e68c6664d39c34877af (diff)
downloadgit-abe27c0cbd97bf6a693004ddb411392ed596a853.tar.gz
git-abe27c0cbd97bf6a693004ddb411392ed596a853.tar.xz
vcs-svn: guard against overflow when computing preimage length
Signed integer overflow produces undefined behavior in C and off_t is a signed type. For predictable behavior, add some checks to protect in advance against overflow. On 32-bit systems ftell as called by buffer_tmpfile_prepare_to_read is likely to fail with EOVERFLOW when reading the corresponding postimage, and this patch does not fix that. So it's more of a futureproofing measure than a complete fix. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Diffstat (limited to 'vcs-svn/fast_export.c')
-rw-r--r--vcs-svn/fast_export.c15
1 files changed, 14 insertions, 1 deletions
diff --git a/vcs-svn/fast_export.c b/vcs-svn/fast_export.c
index edc658d4f..96a75d51d 100644
--- a/vcs-svn/fast_export.c
+++ b/vcs-svn/fast_export.c
@@ -166,6 +166,7 @@ static int ends_with(const char *s, size_t len, const char *suffix)
static int parse_cat_response_line(const char *header, off_t *len)
{
size_t headerlen = strlen(header);
+ uintmax_t n;
const char *type;
const char *end;
@@ -174,14 +175,25 @@ static int parse_cat_response_line(const char *header, off_t *len)
type = memmem(header, headerlen, " blob ", strlen(" blob "));
if (!type)
return error("cat-blob header has wrong object type: %s", header);
- *len = strtoumax(type + strlen(" blob "), (char **) &end, 10);
+ n = strtoumax(type + strlen(" blob "), (char **) &end, 10);
if (end == type + strlen(" blob "))
return error("cat-blob header does not contain length: %s", header);
+ if (memchr(type + strlen(" blob "), '-', end - type - strlen(" blob ")))
+ return error("cat-blob header contains negative length: %s", header);
+ if (n == UINTMAX_MAX || n > maximum_signed_value_of_type(off_t))
+ return error("blob too large for current definition of off_t");
+ *len = n;
if (*end)
return error("cat-blob header contains garbage after length: %s", header);
return 0;
}
+static void check_preimage_overflow(off_t a, off_t b)
+{
+ if (signed_add_overflows(a, b))
+ die("blob too large for current definition of off_t");
+}
+
static long apply_delta(off_t len, struct line_buffer *input,
const char *old_data, uint32_t old_mode)
{
@@ -204,6 +216,7 @@ static long apply_delta(off_t len, struct line_buffer *input,
}
if (old_mode == REPO_MODE_LNK) {
strbuf_addstr(&preimage.buf, "link ");
+ check_preimage_overflow(preimage_len, strlen("link "));
preimage_len += strlen("link ");
}
if (svndiff0_apply(input, len, &preimage, out))