mirror of
https://github.com/git/git
synced 2024-09-13 21:34:42 +00:00
packfile: avoid overflowing shift during decode
unpack_object_header_buffer() attempts to protect against overflowing left shifts, but the limit of the shift amount should not be the size of the variable being shifted. It should be the size minus the size of its contents. Fix that accordingly. This was noticed at $DAYJOB by a fuzzer running internally. Signed-off-by: Jonathan Tan <jonathantanmy@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
parent
5fbd2fc599
commit
34de5b8eac
|
@ -1067,7 +1067,7 @@ unsigned long unpack_object_header_buffer(const unsigned char *buf,
|
|||
size = c & 15;
|
||||
shift = 4;
|
||||
while (c & 0x80) {
|
||||
if (len <= used || bitsizeof(long) <= shift) {
|
||||
if (len <= used || (bitsizeof(long) - 7) <= shift) {
|
||||
error("bad object header");
|
||||
size = used = 0;
|
||||
break;
|
||||
|
|
Loading…
Reference in a new issue