patch-delta: fix oob read If `cmd` is in the range [0x01,0x7f] and `cmd > top-data`, the `memcpy(out, data, cmd)` can copy out-of-bounds data from after `delta_buf` into `dst_buf`. This is not an exploitable bug because triggering the bug increments the `data` pointer beyond `top`, causing the `data != top` sanity check after the loop to trigger and discard the destination buffer - which means that the result of the out-of-bounds read is never used for anything. Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Jeff King <peff@peff.net> Reviewed-by: Nicolas Pitre <nico@fluxnic.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>

commit: 21870efc4aab4732ba2c422ef116597c54e4a8ec [log] [tgz]
author: Jann Horn <jannh@google.com> Thu Aug 30 03:09:45 2018 -0400
committer: Junio C Hamano <gitster@pobox.com> Thu Aug 30 10:30:22 2018 -0700
tree: 26867e6b0d64b7a49c4d73bf8760e54385085a32
parent: 9caf0107a86d11f059554e55c461f8e7657d89bf [diff] [blame]
diff --git a/patch-delta.c b/patch-delta.c
index 56e0a5e..b937afd 100644
--- a/patch-delta.c
+++ b/patch-delta.c

@@ -56,7 +56,7 @@ void *patch_delta(const void *src_buf, unsigned long src_size,
 			out += cp_size;
 			size -= cp_size;
 		} else if (cmd) {
-			if (cmd > size)
+			if (cmd > size || cmd > top - data)
 				break;
 			memcpy(out, data, cmd);
 			out += cmd;
commit	21870efc4aab4732ba2c422ef116597c54e4a8ec	[log] [tgz]
author	Jann Horn <jannh@google.com>	Thu Aug 30 03:09:45 2018 -0400
committer	Junio C Hamano <gitster@pobox.com>	Thu Aug 30 10:30:22 2018 -0700
tree	26867e6b0d64b7a49c4d73bf8760e54385085a32
parent	9caf0107a86d11f059554e55c461f8e7657d89bf [diff] [blame]