commit-graph: fix buffer read-overflow

fuzz-commit-graph identified a case where Git will read past the end of a buffer containing a commit graph if the graph's header has an incorrect chunk count. A simple bounds check in parse_commit_graph() prevents this. Signed-off-by: Josh Steadmon <steadmon@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
author: Josh Steadmon <steadmon@google.com> 2019-01-15 14:25:51 -0800
committer: Junio C Hamano <gitster@pobox.com> 2019-01-15 20:32:00 -0800
commit: d2b86fbaa1f6c0606330caf3cc3fdf8984ddc66a (patch)
tree: 7c05e504d723791d208b863e848a41a35e3f20fe /commit-graph.c
parent: aa658574bfcbe03f5703458ac10be1ef3f5f5472 (diff)
download: git-d2b86fbaa1f6c0606330caf3cc3fdf8984ddc66a.tar.gz
1 files changed, 12 insertions, 2 deletions
diff --git a/commit-graph.c b/commit-graph.c
index 15afad245a..359e782dee 100644
--- a/commit-graph.c
+++ b/commit-graph.c
@@ -165,10 +165,20 @@ struct commit_graph *parse_commit_graph(void *graph_map, int fd,
 	last_chunk_offset = 8;
 	chunk_lookup = data + 8;
 	for (i = 0; i < graph->num_chunks; i++) {
-		uint32_t chunk_id = get_be32(chunk_lookup + 0);
-		uint64_t chunk_offset = get_be64(chunk_lookup + 4);
+		uint32_t chunk_id;
+		uint64_t chunk_offset;
 		int chunk_repeated = 0;
 
+		if (data + graph_size - chunk_lookup <
+		    GRAPH_CHUNKLOOKUP_WIDTH) {
+			error(_("chunk lookup table entry missing; graph file may be incomplete"));
+			free(graph);
+			return NULL;
+		}
+
+		chunk_id = get_be32(chunk_lookup + 0);
+		chunk_offset = get_be64(chunk_lookup + 4);
+
 		chunk_lookup += GRAPH_CHUNKLOOKUP_WIDTH;
 
 		if (chunk_offset > graph_size - GIT_MAX_RAWSZ) {
author	Josh Steadmon <steadmon@google.com>	2019-01-15 14:25:51 -0800
committer	Junio C Hamano <gitster@pobox.com>	2019-01-15 20:32:00 -0800
commit	d2b86fbaa1f6c0606330caf3cc3fdf8984ddc66a (patch)
tree	7c05e504d723791d208b863e848a41a35e3f20fe /commit-graph.c
parent	aa658574bfcbe03f5703458ac10be1ef3f5f5472 (diff)
download	git-d2b86fbaa1f6c0606330caf3cc3fdf8984ddc66a.tar.gz