From: Takashi Iwai <tiwai@suse.com>
Date: Thu, 17 Mar 2016 07:51:23 +0100
Subject: prevent buffer overflow in path_name() (CVE-2016-2324)

Using int type for string sizes in path_name() allows a remotely
triggered buffer overflow if arithmetic wraps around. Use size_t instead
and bail out if resulting size exceeds INT_MAX.
---
 revision.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

--- a/revision.c
+++ b/revision.c
@@ -20,14 +20,20 @@
 {
 	const struct name_path *p;
 	char *n, *m;
-	int nlen = strlen(name);
-	int len = nlen + 1;
+	size_t nlen = strlen(name);
+	size_t len = nlen + 1;
 
+	if (len >= INT_MAX)
+		goto error;
 	for (p = path; p; p = p->up) {
 		if (p->elem_len)
 			len += p->elem_len + 1;
+		if (len >= INT_MAX)
+			goto error;
 	}
 	n = xmalloc(len);
+	if (!n)
+		goto error;
 	m = n + len - (nlen + 1);
 	memcpy(m, name, nlen + 1);
 	for (p = path; p; p = p->up) {
@@ -38,6 +44,14 @@
 		}
 	}
 	return n;
+
+ error:
+	/* FIXME: better to return an error, but the caller of this function
+	 * doesn't do any NULL-checks, so it's safer to exit forcibly
+	 */
+	exit(1);
+
+	return NULL;
 }
 
 static int show_path_component_truncated(FILE *out, const char *name, int len)