diff options
| author | Jonathan Tan <jonathantanmy@google.com> | 2021-11-10 15:40:33 -0800 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2021-11-11 10:06:37 -0800 |
| commit | 34de5b8eac2743497bc1785f661b4184adce21f3 (patch) | |
| tree | 944d93d85a85c58141420663a68d91d95eeac0b5 | |
| parent | 5fbd2fc5997dfa4d4593a862fe729b1e7a89bcf8 (diff) | |
| download | git-34de5b8eac2743497bc1785f661b4184adce21f3.tar.xz | |
packfile: avoid overflowing shift during decode
unpack_object_header_buffer() attempts to protect against overflowing
left shifts, but the limit of the shift amount should not be the size of
the variable being shifted. It should be the size minus the size of its
contents. Fix that accordingly.
This was noticed at $DAYJOB by a fuzzer running internally.
Signed-off-by: Jonathan Tan <jonathantanmy@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
| -rw-r--r-- | packfile.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/packfile.c b/packfile.c index 9ef6d98292..d3820c780b 100644 --- a/packfile.c +++ b/packfile.c @@ -1067,7 +1067,7 @@ unsigned long unpack_object_header_buffer(const unsigned char *buf, size = c & 15; shift = 4; while (c & 0x80) { - if (len <= used || bitsizeof(long) <= shift) { + if (len <= used || (bitsizeof(long) - 7) <= shift) { error("bad object header"); size = used = 0; break; |