From 6b763c424e4ace1678ade5310f3ca3ffbd11af2c Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Wed, 5 Sep 2007 21:58:40 -0700 Subject: git-apply: do not read past the end of buffer When the preimage we are patching is shorter than what the patch text expects, we tried to match the buffer contents at the "original" line with the fragment in full, without checking we have enough data to match in the preimage. This caused the size of a later memmove() to wrap around and attempt to scribble almost the entire address space. Not good. The code that follows the part this patch touches tries to match the fragment with line offsets. Curiously, that code does not have the problem --- it guards against reading past the end of the preimage. Signed-off-by: Junio C Hamano diff --git a/builtin-apply.c b/builtin-apply.c index 25b1447..976ec77 100644 --- a/builtin-apply.c +++ b/builtin-apply.c @@ -1514,7 +1514,8 @@ static int find_offset(const char *buf, unsigned long size, const char *fragment } /* Exact line number? */ - if (!memcmp(buf + start, fragment, fragsize)) + if ((start + fragsize <= size) && + !memcmp(buf + start, fragment, fragsize)) return start; /* diff --git a/t/t4123-apply-shrink.sh b/t/t4123-apply-shrink.sh new file mode 100755 index 0000000..984157f --- /dev/null +++ b/t/t4123-apply-shrink.sh @@ -0,0 +1,58 @@ +#!/bin/sh + +test_description='apply a patch that is larger than the preimage' + +. ./test-lib.sh + +cat >F <<\EOF +1 +2 +3 +4 +5 +6 +7 +8 +999999 +A +B +C +D +E +F +G +H +I +J + +EOF + +test_expect_success setup ' + + git add F && + mv F G && + sed -e "s/1/11/" -e "s/999999/9/" -e "s/H/HH/" F && + git diff >patch && + sed -e "/^\$/d" F && + git add F + +' + +test_expect_success 'apply should fail gracefully' ' + + if git apply --index patch + then + echo Oops, should not have succeeded + false + else + status=$? + echo "Status was $status" + if test -f .git/index.lock + then + echo Oops, should not have crashed + false + fi + fi +' + +test_done -- cgit v0.10.2-6-g49f6