summary refs log tree commit
diff options
context:
space:
mode:
-rw-r--r--delta.h5
-rw-r--r--patch-delta.c26
-rw-r--r--sha1_file.c6
3 files changed, 28 insertions, 9 deletions
diff --git a/delta.h b/delta.h
index a15350dabc..9464f3e9b0 100644
--- a/delta.h
+++ b/delta.h
@@ -16,7 +16,8 @@ extern void *patch_delta(void *src_buf, unsigned long src_size,
  * This must be called twice on the delta data buffer, first to get the
  * expected reference buffer size, and again to get the result buffer size.
  */
-static inline unsigned long get_delta_hdr_size(const unsigned char **datap)
+static inline unsigned long get_delta_hdr_size(const unsigned char **datap,
+                                               const unsigned char *top)
 {
         const unsigned char *data = *datap;
         unsigned char cmd;
@@ -26,7 +27,7 @@ static inline unsigned long get_delta_hdr_size(const unsigned char **datap)
                 cmd = *data++;
                 size |= (cmd & ~0x80) << i;
                 i += 7;
-        } while (cmd & 0x80);
+        } while (cmd & 0x80 && data < top);
         *datap = data;
         return size;
 }
diff --git a/patch-delta.c b/patch-delta.c
index c0e1311435..d95f0d9721 100644
--- a/patch-delta.c
+++ b/patch-delta.c
@@ -28,12 +28,12 @@ void *patch_delta(void *src_buf, unsigned long src_size,
         top = delta_buf + delta_size;
 
         /* make sure the orig file size matches what we expect */
-        size = get_delta_hdr_size(&data);
+        size = get_delta_hdr_size(&data, top);
         if (size != src_size)
                 return NULL;
 
         /* now the result size */
-        size = get_delta_hdr_size(&data);
+        size = get_delta_hdr_size(&data, top);
         dst_buf = malloc(size + 1);
         if (!dst_buf)
                 return NULL;
@@ -52,21 +52,37 @@ void *patch_delta(void *src_buf, unsigned long src_size,
                         if (cmd & 0x20) cp_size |= (*data++ << 8);
                         if (cmd & 0x40) cp_size |= (*data++ << 16);
                         if (cp_size == 0) cp_size = 0x10000;
+                        if (cp_off + cp_size < cp_size ||
+                            cp_off + cp_size > src_size ||
+                            cp_size > size)
+                                goto bad;
                         memcpy(out, src_buf + cp_off, cp_size);
                         out += cp_size;
-                } else {
+                        size -= cp_size;
+                } else if (cmd) {
+                        if (cmd > size)
+                                goto bad;
                         memcpy(out, data, cmd);
                         out += cmd;
                         data += cmd;
+                        size -= cmd;
+                } else {
+                        /*
+                         * cmd == 0 is reserved for future encoding
+                         * extensions. In the mean time we must fail when
+                         * encountering them (might be data corruption).
+                         */
+                        goto bad;
                 }
         }
 
         /* sanity check */
-        if (data != top || out - dst_buf != size) {
+        if (data != top || size != 0) {
+                bad:
                 free(dst_buf);
                 return NULL;
         }
 
-        *dst_size = size;
+        *dst_size = out - dst_buf;
         return dst_buf;
 }
diff --git a/sha1_file.c b/sha1_file.c
index aa09b4646a..d8ef565561 100644
--- a/sha1_file.c
+++ b/sha1_file.c
@@ -804,10 +804,12 @@ static int packed_delta_info(unsigned char *base_sha1,
                  * the result size.
                  */
                 data = delta_head;
-                get_delta_hdr_size(&data); /* ignore base size */
+
+                /* ignore base size */
+                get_delta_hdr_size(&data, delta_head+sizeof(delta_head));
 
                 /* Read the result size */
-                result_size = get_delta_hdr_size(&data);
+                result_size = get_delta_hdr_size(&data, delta_head+sizeof(delta_head));
                 *sizep = result_size;
         }
         return 0;