apply: detect overflow when parsing hunk header

Message ID	pull.1858.git.1738235310815.gitgitgadget@gmail.com (mailing list archive)
State	Accepted
Commit	a206058fdaab6274ae7b9bdca274011efba74e11
Headers	show Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CEBFD84D34 for <git@vger.kernel.org>; Thu, 30 Jan 2025 11:08:34 +0000 (UTC) Message-Id: <pull.1858.git.1738235310815.gitgitgadget@gmail.com> Date: Thu, 30 Jan 2025 11:08:30 +0000 Subject: [PATCH] apply: detect overflow when parsing hunk header Fcc: Sent Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk MIME-Version: 1.0 To: git@vger.kernel.org Cc: =?utf-8?b?U8O2cmVu?= Krecker <soekkle@freenet.de>, Phillip Wood <phillip.wood@dunelm.org.uk>, Phillip Wood <phillip.wood@dunelm.org.uk> From: Phillip Wood <phillip.wood@dunelm.org.uk>
Series	apply: detect overflow when parsing hunk header \| expand apply: detect overflow when parsing hunk header

Message ID

pull.1858.git.1738235310815.gitgitgadget@gmail.com (mailing list archive)

State

Accepted

Commit

a206058fdaab6274ae7b9bdca274011efba74e11

Headers

Message-Id: <pull.1858.git.1738235310815.gitgitgadget@gmail.com>
Date: Thu, 30 Jan 2025 11:08:30 +0000
Subject: [PATCH] apply: detect overflow when parsing hunk header
Fcc: Sent
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
MIME-Version: 1.0
To: git@vger.kernel.org
Cc: =?utf-8?b?U8O2cmVu?= Krecker <soekkle@freenet.de>,
 Phillip Wood <phillip.wood@dunelm.org.uk>,
 Phillip Wood <phillip.wood@dunelm.org.uk>
From: Phillip Wood <phillip.wood@dunelm.org.uk>

Series

apply: detect overflow when parsing hunk header | expand

Commit Message

Phillip Wood Jan. 30, 2025, 11:08 a.m. UTC

From: Phillip Wood <phillip.wood@dunelm.org.uk>

"git apply" uses strtoul() to parse the numbers in the hunk header but
silently ignores overflows. As LONG_MAX is a legitimate return value for
strtoul() we need to set errno to zero before the call to strtoul() and
check that it is still zero afterwards. The error message we display is
not particularly helpful as it does not say what was wrong.  However, it
seems pretty unlikely that users are going to trigger this error in
practice and we can always improve it later if needed.

Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
---
    apply: detect overflow when parsing hunk header
    
    We should do something similar in "git add -p" but I'll wait to see what
    happens with
    https://lore.kernel.org/git/20250126125638.3089-2-soekkle@freenet.de/
    first

Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1858%2Fphillipwood%2Fapply-detect-hunk-header-overflow-v1
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1858/phillipwood/apply-detect-hunk-header-overflow-v1
Pull-Request: https://github.com/gitgitgadget/git/pull/1858

 apply.c               |  3 +++
 t/t4100-apply-stat.sh | 13 +++++++++++++
 2 files changed, 16 insertions(+)


base-commit: fbe8d3079d4a96aeb4e4529cc93cc0043b759a05

Comments

Junio C Hamano Jan. 30, 2025, 10:17 p.m. UTC | #1

"Phillip Wood via GitGitGadget" <gitgitgadget@gmail.com> writes:

> From: Phillip Wood <phillip.wood@dunelm.org.uk>
>
> "git apply" uses strtoul() to parse the numbers in the hunk header but
> silently ignores overflows. As LONG_MAX is a legitimate return value for
> strtoul() we need to set errno to zero before the call to strtoul() and
> check that it is still zero afterwards. The error message we display is
> not particularly helpful as it does not say what was wrong.  However, it
> seems pretty unlikely that users are going to trigger this error in
> practice and we can always improve it later if needed.

Thanks.  We made an effort to use a type that is a bit wider than
"int", but we apparently ignored that the Git userbase will become a
lot wider some day and unfriendly and/or hostile folks would start
feeding malicious input to us X-<.  The check presented here look
good, and the fact that there was only one change needed shows how
well designed the base code was ;-)

Will queue.  Thanks.

> @@ -1423,7 +1423,10 @@ static int parse_num(const char *line, unsigned long *p)
>  
>  	if (!isdigit(*line))
>  		return 0;
> +	errno = 0;
>  	*p = strtoul(line, &ptr, 10);
> +	if (errno)
> +		return 0;
>  	return ptr - line;
>  }
>  
> diff --git a/t/t4100-apply-stat.sh b/t/t4100-apply-stat.sh
> index 146e73d8f55..a5664f3eb3c 100755
> --- a/t/t4100-apply-stat.sh
> +++ b/t/t4100-apply-stat.sh
> @@ -38,4 +38,17 @@ incomplete (1)
>  incomplete (2)
>  EOF
>  
> +test_expect_success 'applying a hunk header which overflows fails' '
> +	cat >patch <<-\EOF &&
> +	diff -u a/file b/file
> +	--- a/file
> +	+++ b/file
> +	@@ -98765432109876543210 +98765432109876543210 @@
> +	-a
> +	+b
> +	EOF
> +	test_must_fail git apply patch 2>err &&
> +	echo "error: corrupt patch at line 4" >expect &&
> +	test_cmp expect err
> +'
>  test_done
>
> base-commit: fbe8d3079d4a96aeb4e4529cc93cc0043b759a05

diff --git a/apply.c b/apply.c
index 4a7b6120ac8..b124678b93b 100644
--- a/apply.c
+++ b/apply.c
@@ -1423,7 +1423,10 @@  static int parse_num(const char *line, unsigned long *p)
 
 	if (!isdigit(*line))
 		return 0;
+	errno = 0;
 	*p = strtoul(line, &ptr, 10);
+	if (errno)
+		return 0;
 	return ptr - line;
 }
 
diff --git a/t/t4100-apply-stat.sh b/t/t4100-apply-stat.sh
index 146e73d8f55..a5664f3eb3c 100755
--- a/t/t4100-apply-stat.sh
+++ b/t/t4100-apply-stat.sh
@@ -38,4 +38,17 @@  incomplete (1)
 incomplete (2)
 EOF
 
+test_expect_success 'applying a hunk header which overflows fails' '
+	cat >patch <<-\EOF &&
+	diff -u a/file b/file
+	--- a/file
+	+++ b/file
+	@@ -98765432109876543210 +98765432109876543210 @@
+	-a
+	+b
+	EOF
+	test_must_fail git apply patch 2>err &&
+	echo "error: corrupt patch at line 4" >expect &&
+	test_cmp expect err
+'
 test_done

apply: detect overflow when parsing hunk header

Commit Message

Comments

Patch