- Original Message -
> Jeff King writes:
>
> > That being said, the parse_sha1_header() function clearly does not
> > detect overflow at all when parsing the size. So on a 32-bit system, you
> > end up with:
> >
> > $ git fsck
> > fatal: Out of memory, malloc failed
Hi,
We found a malformed object file that triggers an allocation with a negative
size when parsed in git 2.10.0. It can be caused by an integer overflow
somewhere, so it is better to verify how the code got such value. It was tested
on ArchLinux x86_64. To reproduce, first recompile git with
Btw, this other test case will trigger a similar issue, but in another line of
code:
To reproduce:
$ git init ; mkdir -p .git/objects/b2 ; printf
'eJwNwoENgDAIBECkDsII5Z8CHagLGPePXu59zjHGRIOZG3OzI/lnRc4KemXDPdYSml6iQ+4ATIZ+nAEK4g=='
| base64 -d >
Fair enough. We are testing our tool to try to find bugs/vulnerabilities in
several git implementations. I will report here my results if i can find some
other memory issue in this git client.
- Original Message -
> Gustavo Grieco <gustavo.gri...@imag.fr> writes:
&
Hello,
Now that the cause of this issue is identified, i would like to know if there
is an impact in the security, so i can request a CVE if necessary.
Thanks!
Hi,
We found a stack read out-of-bounds parsing object files using git 2.10.0. It
was tested on ArchLinux x86_64. To reproduce, first recompile git with ASAN
support and then execute:
$ git init ; mkdir -p .git/objects/b2 ; printf 'x' >
.git/objects/b2/93584ddd61af21260be75ee9f73e9d53f08cd0
6 matches
Mail list logo