Revision - 447ac90 - attr: fix out-of-bounds read with unreasonable amount of patterns

Revision 447ac906e189535e77dcb1f4bbe3f1bc917d4c12 authored by Patrick Steinhardt on 01 December 2022, 14:45:31 UTC, committed by Junio C Hamano on 05 December 2022, 06:14:16 UTC

attr: fix out-of-bounds read with unreasonable amount of patterns

The `struct attr_stack` tracks the stack of all patterns together with
their attributes. When parsing a gitattributes file that has more than
2^31 such patterns though we may trigger multiple out-of-bounds reads on
64 bit platforms. This is because while the `num_matches` variable is an
unsigned integer, we always use a signed integer to iterate over them.

I have not been able to reproduce this issue due to memory constraints
on my systems. But despite the out-of-bounds reads, the worst thing that
can seemingly happen is to call free(3P) with a garbage pointer when
calling `attr_stack_free()`.

Fix this bug by using unsigned integers to iterate over the array. While
this makes the iteration somewhat awkward when iterating in reverse, it
is at least better than knowingly running into an out-of-bounds read.
While at it, convert the call to `ALLOC_GROW` to use `ALLOC_GROW_BY`
instead.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

1 parent 34ace8b

Files
Changes

Permalinks

sha1-lookup.h

#ifndef SHA1_LOOKUP_H
#define SHA1_LOOKUP_H

typedef const unsigned char *sha1_access_fn(size_t index, void *table);

int sha1_pos(const unsigned char *sha1,
	     void *table,
	     size_t nr,
	     sha1_access_fn fn);

/*
 * Searches for sha1 in table, using the given fanout table to determine the
 * interval to search, then using binary search. Returns 1 if found, 0 if not.
 *
 * Takes the following parameters:
 *
 *  - sha1: the hash to search for
 *  - fanout_nbo: a 256-element array of NETWORK-order 32-bit integers; the
 *    integer at position i represents the number of elements in table whose
 *    first byte is less than or equal to i
 *  - table: a sorted list of hashes with optional extra information in between
 *  - stride: distance between two consecutive elements in table (should be
 *    GIT_MAX_RAWSZ or greater)
 *  - result: if not NULL, this function stores the element index of the
 *    position found (if the search is successful) or the index of the least
 *    element that is greater than sha1 (if the search is not successful)
 *
 * This function does not verify the validity of the fanout table.
 */
int bsearch_hash(const unsigned char *sha1, const uint32_t *fanout_nbo,
		 const unsigned char *table, size_t stride, uint32_t *result);
#endif

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...