Re: Possible integer overflow parsing malformed objects in git 2.10.0

- Original Message - > Jeff King writes: > > > That being said, the parse_sha1_header() function clearly does not > > detect overflow at all when parsing the size. So on a 32-bit system, you > > end up with: > > > > $ git fsck > > fatal: Out of memory, malloc failed

Possible integer overflow parsing malformed objects in git 2.10.0

Hi, We found a malformed object file that triggers an allocation with a negative size when parsed in git 2.10.0. It can be caused by an integer overflow somewhere, so it is better to verify how the code got such value. It was tested on ArchLinux x86_64. To reproduce, first recompile git with

Re: Stack read out-of-bounds in parse_sha1_header_extended using git 2.10.0

Btw, this other test case will trigger a similar issue, but in another line of code: To reproduce: $ git init ; mkdir -p .git/objects/b2 ; printf 'eJwNwoENgDAIBECkDsII5Z8CHagLGPePXu59zjHGRIOZG3OzI/lnRc4KemXDPdYSml6iQ+4ATIZ+nAEK4g==' | base64 -d >

Re: Stack read out-of-bounds in parse_sha1_header_extended using git 2.10.0

Fair enough. We are testing our tool to try to find bugs/vulnerabilities in several git implementations. I will report here my results if i can find some other memory issue in this git client. - Original Message - > Gustavo Grieco <gustavo.gri...@imag.fr> writes: &

Re: Stack read out-of-bounds in parse_sha1_header_extended using git 2.10.0

Hello, Now that the cause of this issue is identified, i would like to know if there is an impact in the security, so i can request a CVE if necessary. Thanks!

Stack read out-of-bounds in parse_sha1_header_extended using git 2.10.0

Hi, We found a stack read out-of-bounds parsing object files using git 2.10.0. It was tested on ArchLinux x86_64. To reproduce, first recompile git with ASAN support and then execute: $ git init ; mkdir -p .git/objects/b2 ; printf 'x' > .git/objects/b2/93584ddd61af21260be75ee9f73e9d53f08cd0