diff options
author | Jann Horn <jannh@google.com> | 2018-08-30 07:09:45 (GMT) |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2018-08-30 17:30:22 (GMT) |
commit | 21870efc4aab4732ba2c422ef116597c54e4a8ec (patch) | |
tree | 26867e6b0d64b7a49c4d73bf8760e54385085a32 /t/t5303-pack-corruption-resilience.sh | |
parent | 9caf0107a86d11f059554e55c461f8e7657d89bf (diff) | |
download | git-21870efc4aab4732ba2c422ef116597c54e4a8ec.zip git-21870efc4aab4732ba2c422ef116597c54e4a8ec.tar.gz git-21870efc4aab4732ba2c422ef116597c54e4a8ec.tar.bz2 |
patch-delta: fix oob read
If `cmd` is in the range [0x01,0x7f] and `cmd > top-data`, the
`memcpy(out, data, cmd)` can copy out-of-bounds data from after `delta_buf`
into `dst_buf`.
This is not an exploitable bug because triggering the bug increments the
`data` pointer beyond `top`, causing the `data != top` sanity check after
the loop to trigger and discard the destination buffer - which means that
the result of the out-of-bounds read is never used for anything.
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Jeff King <peff@peff.net>
Reviewed-by: Nicolas Pitre <nico@fluxnic.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 't/t5303-pack-corruption-resilience.sh')
-rwxr-xr-x | t/t5303-pack-corruption-resilience.sh | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/t/t5303-pack-corruption-resilience.sh b/t/t5303-pack-corruption-resilience.sh index 912e659..7114c31 100755 --- a/t/t5303-pack-corruption-resilience.sh +++ b/t/t5303-pack-corruption-resilience.sh @@ -341,7 +341,7 @@ test_expect_success \ # \0 - empty base # \2 - two bytes in result # \2 - two literal bytes (we are short one) -test_expect_failure \ +test_expect_success \ 'apply delta with too few literal bytes' \ 'printf "\0\2\2X" > truncated_delta && test_must_fail test-tool delta -p /dev/null truncated_delta /dev/null' |