check patch_delta bounds more carefully

Let's avoid going south with invalid delta data. Signed-off-by: Nicolas Pitre <nico@cam.org> Signed-off-by: Junio C Hamano <junkio@cox.net>
author: Nicolas Pitre <nico@cam.org> 2006-04-07 15:26:10 -0400
committer: Junio C Hamano <junkio@cox.net> 2006-04-07 16:31:20 -0700
commit: 8960844a7890b1ac6ad5f8abf58a2a20923dde6d (patch)
tree: 680ed7cbcd0c3739dc8e34926d83115bcef6e889 /delta.h
parent: 7d6c447145c07bb7d96a9aa17e33838fbe76e405 (diff)
download: git-8960844a7890b1ac6ad5f8abf58a2a20923dde6d.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/delta.h b/delta.h
index a15350dabc..9464f3e9b0 100644
--- a/delta.h
+++ b/delta.h
@@ -16,7 +16,8 @@ extern void *patch_delta(void *src_buf, unsigned long src_size,
  * This must be called twice on the delta data buffer, first to get the
  * expected reference buffer size, and again to get the result buffer size.
  */
-static inline unsigned long get_delta_hdr_size(const unsigned char **datap)
+static inline unsigned long get_delta_hdr_size(const unsigned char **datap,
+					       const unsigned char *top)
 {
 	const unsigned char *data = *datap;
 	unsigned char cmd;
@@ -26,7 +27,7 @@ static inline unsigned long get_delta_hdr_size(const unsigned char **datap)
 		cmd = *data++;
 		size |= (cmd & ~0x80) << i;
 		i += 7;
-	} while (cmd & 0x80);
+	} while (cmd & 0x80 && data < top);
 	*datap = data;
 	return size;
 }
author	Nicolas Pitre <nico@cam.org>	2006-04-07 15:26:10 -0400
committer	Junio C Hamano <junkio@cox.net>	2006-04-07 16:31:20 -0700
commit	8960844a7890b1ac6ad5f8abf58a2a20923dde6d (patch)
tree	680ed7cbcd0c3739dc8e34926d83115bcef6e889 /delta.h
parent	7d6c447145c07bb7d96a9aa17e33838fbe76e405 (diff)
download	git-8960844a7890b1ac6ad5f8abf58a2a20923dde6d.tar.gz