commit 1c7e06f6ae53cf4a755fe734db7114be67daf35b Author: Jelmer Vernooij Date: Fri Mar 6 12:29:07 2015 +0000 Fix buffer overflow in C version of apply_delta(). This is CVE-2015-0838. Thanks to Ivan Fratric of the Google Security Team for reporting this issue. diff --git a/NEWS b/NEWS index 822dab0..71db58f 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,14 @@ 0.9.9 UNRELEASED + SECURITY BUG FIXES + + * Fix buffer overflow in C implementation of pack apply_delta(). + (CVE-2015-0838) + + Thanks to Ivan Fratric of the Google Security Team for + reporting this issue. + (Jelmer Vernooij) + BUG FIXES * In dulwich.index.build_index_from_tree, by default diff --git a/dulwich/_pack.c b/dulwich/_pack.c index d1534a5..8a8912e 100644 --- a/dulwich/_pack.c +++ b/dulwich/_pack.c @@ -146,10 +146,14 @@ static PyObject *py_apply_delta(PyObject *self, PyObject *args) break; memcpy(out+outindex, src_buf+cp_off, cp_size); outindex += cp_size; + dest_size -= cp_size; } else if (cmd != 0) { + if (cmd > dest_size) + break; memcpy(out+outindex, delta+index, cmd); outindex += cmd; index += cmd; + dest_size -= cmd; } else { PyErr_SetString(PyExc_ValueError, "Invalid opcode 0"); Py_DECREF(ret); @@ -167,7 +171,7 @@ static PyObject *py_apply_delta(PyObject *self, PyObject *args) return NULL; } - if (dest_size != outindex) { + if (dest_size != 0) { PyErr_SetString(PyExc_ValueError, "dest size incorrect"); Py_DECREF(ret); return NULL; diff --git a/dulwich/tests/test_pack.py b/dulwich/tests/test_pack.py index 5caed6d..e8ffb8c 100644 --- a/dulwich/tests/test_pack.py +++ b/dulwich/tests/test_pack.py @@ -191,6 +191,14 @@ class TestPackDeltas(TestCase): self._test_roundtrip(self.test_string_huge + self.test_string1, self.test_string_huge + self.test_string2) + def test_dest_overflow(self): + self.assertRaises( + ValueError, + apply_delta, 'a'*0x10000, '\x80\x80\x04\x80\x80\x04\x80' + 'a'*0x10000) + self.assertRaises( + ValueError, + apply_delta, '', '\x00\x80\x02\xb0\x11\x11') + @skipIfPY3 class TestPackData(PackTests):