From: Junio C Hamano Date: Tue, 5 Feb 2019 22:26:11 +0000 (-0800) Subject: Merge branch 'js/commit-graph-chunk-table-fix' X-Git-Tag: v2.21.0-rc0~52 X-Git-Url: https://git.lorimer.id.au/gitweb.git/diff_plain/19a504d92bde1ba1936eb025c571fef7e6630e4b Merge branch 'js/commit-graph-chunk-table-fix' The codepath to read from the commit-graph file attempted to read past the end of it when the file's table-of-contents was corrupt. * js/commit-graph-chunk-table-fix: Makefile: correct example fuzz build commit-graph: fix buffer read-overflow commit-graph, fuzz: add fuzzer for commit-graph --- 19a504d92bde1ba1936eb025c571fef7e6630e4b diff --cc commit-graph.c index 30f1781176,359e782dee..18bd2b6df7 --- a/commit-graph.c +++ b/commit-graph.c @@@ -124,10 -147,10 +146,10 @@@ struct commit_graph *parse_commit_graph } hash_version = *(unsigned char*)(data + 5); - if (hash_version != GRAPH_OID_VERSION) { + if (hash_version != oid_version()) { error(_("hash version %X does not match version %X"), - hash_version, GRAPH_OID_VERSION); + hash_version, oid_version()); - goto cleanup_fail; + return NULL; } graph = alloc_commit_graph(); @@@ -142,16 -165,27 +164,27 @@@ last_chunk_offset = 8; chunk_lookup = data + 8; for (i = 0; i < graph->num_chunks; i++) { - uint32_t chunk_id = get_be32(chunk_lookup + 0); - uint64_t chunk_offset = get_be64(chunk_lookup + 4); + uint32_t chunk_id; + uint64_t chunk_offset; int chunk_repeated = 0; + if (data + graph_size - chunk_lookup < + GRAPH_CHUNKLOOKUP_WIDTH) { + error(_("chunk lookup table entry missing; graph file may be incomplete")); + free(graph); + return NULL; + } + + chunk_id = get_be32(chunk_lookup + 0); + chunk_offset = get_be64(chunk_lookup + 4); + chunk_lookup += GRAPH_CHUNKLOOKUP_WIDTH; - if (chunk_offset > graph_size - GIT_MAX_RAWSZ) { + if (chunk_offset > graph_size - the_hash_algo->rawsz) { error(_("improper chunk offset %08x%08x"), (uint32_t)(chunk_offset >> 32), (uint32_t)chunk_offset); - goto cleanup_fail; + free(graph); + return NULL; } switch (chunk_id) {