diff options
| author | Taylor Blau <me@ttaylorr.com> | 2023-04-06 14:28:53 -0400 |
|---|---|---|
| committer | Johannes Schindelin <johannes.schindelin@gmx.de> | 2023-04-17 21:15:40 +0200 |
| commit | e91cfe6085c4a61372d1f800b473b73b8d225d0d (patch) | |
| tree | 7700e28d8857eab988c903490d542f2fe5b10685 /diffcore-rotate.c | |
| parent | a5bb10fd5e74101e7c07da93e7c32bbe60f6173a (diff) | |
config.c: avoid integer truncation in `copy_or_rename_section_in_file()`
There are a couple of spots within `copy_or_rename_section_in_file()`
that incorrectly use an `int` to track an offset within a string, which
may truncate or wrap around to a negative value.
Historically it was impossible to have a line longer than 1024 bytes
anyway, since we used fgets() with a fixed-size buffer of exactly that
length. But the recent change to use a strbuf permits us to read lines
of arbitrary length, so it's possible for a malicious input to cause us
to overflow past INT_MAX and do an out-of-bounds array read.
Practically speaking, however, this should never happen, since it
requires 2GB section names or values, which are unrealistic in
non-malicious circumstances.
Co-authored-by: Jeff King <peff@peff.net>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Taylor Blau <me@ttaylorr.com>
Diffstat (limited to 'diffcore-rotate.c')
0 files changed, 0 insertions, 0 deletions