Revision 447ac906e189535e77dcb1f4bbe3f1bc917d4c12 authored by Patrick Steinhardt on 01 December 2022, 14:45:31 UTC, committed by Junio C Hamano on 05 December 2022, 06:14:16 UTC
The `struct attr_stack` tracks the stack of all patterns together with their attributes. When parsing a gitattributes file that has more than 2^31 such patterns though we may trigger multiple out-of-bounds reads on 64 bit platforms. This is because while the `num_matches` variable is an unsigned integer, we always use a signed integer to iterate over them. I have not been able to reproduce this issue due to memory constraints on my systems. But despite the out-of-bounds reads, the worst thing that can seemingly happen is to call free(3P) with a garbage pointer when calling `attr_stack_free()`. Fix this bug by using unsigned integers to iterate over the array. While this makes the iteration somewhat awkward when iterating in reverse, it is at least better than knowingly running into an out-of-bounds read. While at it, convert the call to `ALLOC_GROW` to use `ALLOC_GROW_BY` instead. Signed-off-by: Patrick Steinhardt <ps@pks.im> Signed-off-by: Junio C Hamano <gitster@pobox.com>
1 parent 34ace8b
upload-pack.h
#ifndef UPLOAD_PACK_H
#define UPLOAD_PACK_H
struct upload_pack_options {
int stateless_rpc;
int advertise_refs;
unsigned int timeout;
int daemon_mode;
};
void upload_pack(struct upload_pack_options *options);
struct repository;
struct strvec;
struct packet_reader;
int upload_pack_v2(struct repository *r, struct strvec *keys,
struct packet_reader *request);
struct strbuf;
int upload_pack_advertise(struct repository *r,
struct strbuf *value);
#endif /* UPLOAD_PACK_H */
Computing file changes ...
