Dulwich.io dulwich / 15f6c9e
Merge branch 'cve-0.9.8' Conflicts: NEWS Jelmer Vernooij 4 years ago
3 changed file(s) with 25 addition(s) and 2 deletion(s). Raw diff Collapse all Expand all
0 0.9.9 UNRELEASED
0 0.10.0 UNRELEASED
11
22 BUG FIXES
33
3232 * Prevent duplicate parsing of loose files in objects
3333 directory when reading. Thanks to David Keijser for the
3434 report. (Jelmer Vernooij, #231)
35
36 0.9.9 2015-03-20
37
38 SECURITY BUG FIXES
39
40 * Fix buffer overflow in C implementation of pack apply_delta().
41 (CVE-2015-0838)
42
43 Thanks to Ivan Fratric of the Google Security Team for
44 reporting this issue.
45 (Jelmer Vernooij)
3546
3647 0.9.8 2014-11-30
3748
145145 break;
146146 memcpy(out+outindex, src_buf+cp_off, cp_size);
147147 outindex += cp_size;
148 dest_size -= cp_size;
148149 } else if (cmd != 0) {
150 if (cmd > dest_size)
151 break;
149152 memcpy(out+outindex, delta+index, cmd);
150153 outindex += cmd;
151154 index += cmd;
155 dest_size -= cmd;
152156 } else {
153157 PyErr_SetString(PyExc_ValueError, "Invalid opcode 0");
154158 Py_DECREF(ret);
166170 return NULL;
167171 }
168172
169 if (dest_size != outindex) {
173 if (dest_size != 0) {
170174 PyErr_SetString(PyExc_ValueError, "dest size incorrect");
171175 Py_DECREF(ret);
172176 return NULL;
190190 self._test_roundtrip(self.test_string_huge + self.test_string1,
191191 self.test_string_huge + self.test_string2)
192192
193 def test_dest_overflow(self):
194 self.assertRaises(
195 ValueError,
196 apply_delta, 'a'*0x10000, '\x80\x80\x04\x80\x80\x04\x80' + 'a'*0x10000)
197 self.assertRaises(
198 ValueError,
199 apply_delta, '', '\x00\x80\x02\xb0\x11\x11')
200
193201
194202 @skipIfPY3
195203 class TestPackData(PackTests):