From 2be7fc012e6747160b4b6586a1ec209598581ade Mon Sep 17 00:00:00 2001 From: Patrick Steinhardt Date: Mon, 7 Oct 2024 06:38:18 +0200 Subject: cache-tree: detect mismatching number of index entries In t4058 we have some tests that exercise git-read-tree(1) when used with a tree that contains duplicate entries. While the expectation is that we fail, we ideally should fail gracefully without a segfault. But that is not the case: we never check that the number of entries in the cache-tree is less than or equal to the number of entries in the index. This can lead to an out-of-bounds read as we unconditionally access `istate->cache[idx]`, where `idx` is controlled by the number of cache-tree entries and the current position therein. The result is a segfault. Fix this segfault by adding a sanity check for the number of index entries before dereferencing them. Signed-off-by: Patrick Steinhardt Signed-off-by: Junio C Hamano --- cache-tree.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'cache-tree.c') diff --git a/cache-tree.c b/cache-tree.c index 4228b6fad4..1e62567308 100644 --- a/cache-tree.c +++ b/cache-tree.c @@ -933,6 +933,11 @@ static int verify_one(struct repository *r, pos = 0; } + if (it->entry_count + pos > istate->cache_nr) { + ret = error(_("corrupted cache-tree has entries not present in index")); + goto out; + } + i = 0; while (i < it->entry_count) { struct cache_entry *ce = istate->cache[pos + i]; -- cgit v1.3