Re: [PATCH 0/5] handle corruption in patch-delta

2018-08-30 Thread Nicolas Pitre
On Thu, 30 Aug 2018, Jeff King wrote: > On Wed, Aug 29, 2018 at 10:58:55PM +0200, Jann Horn wrote: > > > If `cmd` is in the range [0x01,0x7f] and `cmd > top-data`, the > > `memcpy(out, data, cmd)` can copy out-of-bounds data from after `delta_buf` > > into `dst_buf`. > > > > This is not an explo

Re: [PATCH 0/5] handle corruption in patch-delta

2018-08-30 Thread Jann Horn
On Thu, Aug 30, 2018 at 9:05 AM Jeff King wrote: > > On Wed, Aug 29, 2018 at 10:58:55PM +0200, Jann Horn wrote: > > > If `cmd` is in the range [0x01,0x7f] and `cmd > top-data`, the > > `memcpy(out, data, cmd)` can copy out-of-bounds data from after `delta_buf` > > into `dst_buf`. > > > > This is n

[PATCH 0/5] handle corruption in patch-delta

2018-08-30 Thread Jeff King
On Wed, Aug 29, 2018 at 10:58:55PM +0200, Jann Horn wrote: > If `cmd` is in the range [0x01,0x7f] and `cmd > top-data`, the > `memcpy(out, data, cmd)` can copy out-of-bounds data from after `delta_buf` > into `dst_buf`. > > This is not an exploitable bug because triggering the bug increments the