From 5bf9219d01b16444b316fe764b58d15bd9265f74 Mon Sep 17 00:00:00 2001 From: Ilari Liusvaara Date: Tue, 26 Jan 2010 20:24:12 +0200 Subject: [PATCH 1/4] Add xmallocz() Add routine for allocating NUL-terminated memory block without risking integer overflow in addition of +1 for NUL byte. [jc: with suggestion from Bill Lear] Signed-off-by: Ilari Liusvaara Signed-off-by: Junio C Hamano --- git-compat-util.h | 1 + wrapper.c | 15 +++++++++++---- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/git-compat-util.h b/git-compat-util.h index ef6080338..31e2ef9e9 100644 --- a/git-compat-util.h +++ b/git-compat-util.h @@ -343,6 +343,7 @@ extern void release_pack_memory(size_t, int); extern char *xstrdup(const char *str); extern void *xmalloc(size_t size); +extern void *xmallocz(size_t size); extern void *xmemdupz(const void *data, size_t len); extern char *xstrndup(const char *str, size_t len); extern void *xrealloc(void *ptr, size_t size); diff --git a/wrapper.c b/wrapper.c index c9be1400c..0e3e20a3f 100644 --- a/wrapper.c +++ b/wrapper.c @@ -34,6 +34,16 @@ void *xmalloc(size_t size) return ret; } +void *xmallocz(size_t size) +{ + void *ret; + if (size + 1 < size) + die("Data too large to fit into virtual memory space."); + ret = xmalloc(size + 1); + ((char*)ret)[size] = 0; + return ret; +} + /* * xmemdupz() allocates (len + 1) bytes of memory, duplicates "len" bytes of * "data" to the allocated memory, zero terminates the allocated memory, @@ -42,10 +52,7 @@ void *xmalloc(size_t size) */ void *xmemdupz(const void *data, size_t len) { - char *p = xmalloc(len + 1); - memcpy(p, data, len); - p[len] = '\0'; - return p; + return memcpy(xmallocz(len), data, len); } char *xstrndup(const char *str, size_t len) From 222083a1585c058fd2bbcb76db1ea824ee3df17f Mon Sep 17 00:00:00 2001 From: Ilari Liusvaara Date: Tue, 26 Jan 2010 20:24:13 +0200 Subject: [PATCH 2/4] Fix integer overflow in patch_delta() Signed-off-by: Ilari Liusvaara Signed-off-by: Junio C Hamano --- patch-delta.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/patch-delta.c b/patch-delta.c index e02e13bd4..d218faa02 100644 --- a/patch-delta.c +++ b/patch-delta.c @@ -33,8 +33,7 @@ void *patch_delta(const void *src_buf, unsigned long src_size, /* now the result size */ size = get_delta_hdr_size(&data, top); - dst_buf = xmalloc(size + 1); - dst_buf[size] = 0; + dst_buf = xmallocz(size); out = dst_buf; while (data < top) { From 3aee68aa68e80856de26340b707148d8f8d5b82e Mon Sep 17 00:00:00 2001 From: Ilari Liusvaara Date: Tue, 26 Jan 2010 20:24:14 +0200 Subject: [PATCH 3/4] Fix integer overflow in unpack_sha1_rest() [jc: later NUL termination by the caller becomes unnecessary] Signed-off-by: Ilari Liusvaara Signed-off-by: Junio C Hamano --- sha1_file.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sha1_file.c b/sha1_file.c index 63981fb3f..a90324767 100644 --- a/sha1_file.c +++ b/sha1_file.c @@ -1232,7 +1232,7 @@ static int unpack_sha1_header(z_stream *stream, unsigned char *map, unsigned lon static void *unpack_sha1_rest(z_stream *stream, void *buffer, unsigned long size, const unsigned char *sha1) { int bytes = strlen(buffer) + 1; - unsigned char *buf = xmalloc(1+size); + unsigned char *buf = xmallocz(size); unsigned long n; int status = Z_OK; @@ -1260,7 +1260,6 @@ static void *unpack_sha1_rest(z_stream *stream, void *buffer, unsigned long size while (status == Z_OK) status = git_inflate(stream, Z_FINISH); } - buf[size] = 0; if (status == Z_STREAM_END && !stream->avail_in) { git_inflate_end(stream); return buf; From 4ab07e4d1076a1b94b91d58913daeb20eb1c0e2d Mon Sep 17 00:00:00 2001 From: Ilari Liusvaara Date: Tue, 26 Jan 2010 20:24:15 +0200 Subject: [PATCH 4/4] Fix integer overflow in unpack_compressed_entry() Signed-off-by: Ilari Liusvaara Signed-off-by: Junio C Hamano --- sha1_file.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sha1_file.c b/sha1_file.c index a90324767..23d347c45 100644 --- a/sha1_file.c +++ b/sha1_file.c @@ -1582,8 +1582,7 @@ static void *unpack_compressed_entry(struct packed_git *p, z_stream stream; unsigned char *buffer, *in; - buffer = xmalloc(size + 1); - buffer[size] = 0; + buffer = xmallocz(size); memset(&stream, 0, sizeof(stream)); stream.next_out = buffer; stream.avail_out = size + 1;