Package: dulwich / 0.6.1-1+deb6u1

CVE-2015-0838-Fix-buffer-overflow-in-C-version-of-ap.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
From: =?utf-8?q?Jelmer_Vernoo=C4=B3?= <jelmer@google.com>
Date: Fri, 22 May 2015 15:01:47 +0200
Subject: CVE-2015-0838: Fix buffer overflow in C version of apply_delta()

Cherry-picked from upstream commmit
1c7e06f6ae53cf4a755fe734db7114be67daf35b.
---
 dulwich/_pack.c            | 8 ++++++--
 dulwich/tests/test_pack.py | 8 ++++++++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/dulwich/_pack.c b/dulwich/_pack.c
index ee79b40..c6ab327 100644
--- a/dulwich/_pack.c
+++ b/dulwich/_pack.c
@@ -146,10 +146,14 @@ static PyObject *py_apply_delta(PyObject *self, PyObject *args)
                 break;
 			memcpy(out+outindex, src_buf+cp_off, cp_size);
 			outindex += cp_size;
+			dest_size -= cp_size;
 		} else if (cmd != 0) {
+			if (cmd > dest_size)
+				break;
 			memcpy(out+outindex, delta+index, cmd);
 			outindex += cmd;
-            index += cmd;
+			index += cmd;
+			dest_size -= cmd;
 		} else {
 			PyErr_SetString(PyExc_ValueError, "Invalid opcode 0");
 			Py_DECREF(ret);
@@ -167,7 +171,7 @@ static PyObject *py_apply_delta(PyObject *self, PyObject *args)
 		return NULL;
 	}
 
-	if (dest_size != outindex) {
+	if (dest_size != 0) {
         PyErr_SetString(PyExc_ValueError, "dest size incorrect");
 		Py_DECREF(ret);
 		return NULL;
diff --git a/dulwich/tests/test_pack.py b/dulwich/tests/test_pack.py
index b6aea48..2bbd674 100644
--- a/dulwich/tests/test_pack.py
+++ b/dulwich/tests/test_pack.py
@@ -155,6 +155,14 @@ class TestPackDeltas(TestCase):
     def test_overflow(self):
         self._test_roundtrip(self.test_string_empty, self.test_string_big)
 
+    def test_dest_overflow(self):
+        self.assertRaises(
+            ValueError,
+            apply_delta, 'a'*0x10000, '\x80\x80\x04\x80\x80\x04\x80' + 'a'*0x10000)
+        self.assertRaises(
+            ValueError,
+            apply_delta, '', '\x00\x80\x02\xb0\x11\x11')
+
 
 class TestPackData(PackTests):
     """Tests getting the data from the packfile."""