From 5bf9219d01b16444b316fe764b58d15bd9265f74 Mon Sep 17 00:00:00 2001
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Date: Tue, 26 Jan 2010 20:24:12 +0200
Subject: [PATCH 1/4] Add xmallocz()

Add routine for allocating NUL-terminated memory block without risking
integer overflow in addition of +1 for NUL byte.

[jc: with suggestion from Bill Lear]

Signed-off-by: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 git-compat-util.h |  1 +
 wrapper.c         | 15 +++++++++++----
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/git-compat-util.h b/git-compat-util.h
index ef6080338..31e2ef9e9 100644
--- a/git-compat-util.h
+++ b/git-compat-util.h
@@ -343,6 +343,7 @@ extern void release_pack_memory(size_t, int);
 
 extern char *xstrdup(const char *str);
 extern void *xmalloc(size_t size);
+extern void *xmallocz(size_t size);
 extern void *xmemdupz(const void *data, size_t len);
 extern char *xstrndup(const char *str, size_t len);
 extern void *xrealloc(void *ptr, size_t size);
diff --git a/wrapper.c b/wrapper.c
index c9be1400c..0e3e20a3f 100644
--- a/wrapper.c
+++ b/wrapper.c
@@ -34,6 +34,16 @@ void *xmalloc(size_t size)
 	return ret;
 }
 
+void *xmallocz(size_t size)
+{
+	void *ret;
+	if (size + 1 < size)
+		die("Data too large to fit into virtual memory space.");
+	ret = xmalloc(size + 1);
+	((char*)ret)[size] = 0;
+	return ret;
+}
+
 /*
  * xmemdupz() allocates (len + 1) bytes of memory, duplicates "len" bytes of
  * "data" to the allocated memory, zero terminates the allocated memory,
@@ -42,10 +52,7 @@ void *xmalloc(size_t size)
  */
 void *xmemdupz(const void *data, size_t len)
 {
-	char *p = xmalloc(len + 1);
-	memcpy(p, data, len);
-	p[len] = '\0';
-	return p;
+	return memcpy(xmallocz(len), data, len);
 }
 
 char *xstrndup(const char *str, size_t len)

From 222083a1585c058fd2bbcb76db1ea824ee3df17f Mon Sep 17 00:00:00 2001
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Date: Tue, 26 Jan 2010 20:24:13 +0200
Subject: [PATCH 2/4] Fix integer overflow in patch_delta()

Signed-off-by: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 patch-delta.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/patch-delta.c b/patch-delta.c
index e02e13bd4..d218faa02 100644
--- a/patch-delta.c
+++ b/patch-delta.c
@@ -33,8 +33,7 @@ void *patch_delta(const void *src_buf, unsigned long src_size,
 
 	/* now the result size */
 	size = get_delta_hdr_size(&data, top);
-	dst_buf = xmalloc(size + 1);
-	dst_buf[size] = 0;
+	dst_buf = xmallocz(size);
 
 	out = dst_buf;
 	while (data < top) {

From 3aee68aa68e80856de26340b707148d8f8d5b82e Mon Sep 17 00:00:00 2001
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Date: Tue, 26 Jan 2010 20:24:14 +0200
Subject: [PATCH 3/4] Fix integer overflow in unpack_sha1_rest()

[jc: later NUL termination by the caller becomes unnecessary]

Signed-off-by: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 sha1_file.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/sha1_file.c b/sha1_file.c
index 63981fb3f..a90324767 100644
--- a/sha1_file.c
+++ b/sha1_file.c
@@ -1232,7 +1232,7 @@ static int unpack_sha1_header(z_stream *stream, unsigned char *map, unsigned lon
 static void *unpack_sha1_rest(z_stream *stream, void *buffer, unsigned long size, const unsigned char *sha1)
 {
 	int bytes = strlen(buffer) + 1;
-	unsigned char *buf = xmalloc(1+size);
+	unsigned char *buf = xmallocz(size);
 	unsigned long n;
 	int status = Z_OK;
 
@@ -1260,7 +1260,6 @@ static void *unpack_sha1_rest(z_stream *stream, void *buffer, unsigned long size
 		while (status == Z_OK)
 			status = git_inflate(stream, Z_FINISH);
 	}
-	buf[size] = 0;
 	if (status == Z_STREAM_END && !stream->avail_in) {
 		git_inflate_end(stream);
 		return buf;

From 4ab07e4d1076a1b94b91d58913daeb20eb1c0e2d Mon Sep 17 00:00:00 2001
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Date: Tue, 26 Jan 2010 20:24:15 +0200
Subject: [PATCH 4/4] Fix integer overflow in unpack_compressed_entry()

Signed-off-by: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 sha1_file.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/sha1_file.c b/sha1_file.c
index a90324767..23d347c45 100644
--- a/sha1_file.c
+++ b/sha1_file.c
@@ -1582,8 +1582,7 @@ static void *unpack_compressed_entry(struct packed_git *p,
 	z_stream stream;
 	unsigned char *buffer, *in;
 
-	buffer = xmalloc(size + 1);
-	buffer[size] = 0;
+	buffer = xmallocz(size);
 	memset(&stream, 0, sizeof(stream));
 	stream.next_out = buffer;
 	stream.avail_out = size + 1;