tree-walk: don't parse incorrect entries

The current code can access memory outside of the tree buffer in the
case of malformed tree entries.

This patch prevents this by:

 * The rest of the buffer must be at least 24 bytes (at least 1 byte
   mode, 1 blank, at least one byte path name, 1 NUL, 20 bytes sha1).

 * Check that the last NUL (21 bytes before the end) is present.
   This ensures that strlen() and get_mode() calls stay within the
   buffer.

 * The mode may not be empty. We have only to reject a blank at the
   begin, as the rest is handled by if (c < '0' || c > '7').

 * The blank is ensured by get_mode().

 * The path must contain at least one character.

Signed-off-by: Martin Koegler <mkoegler@auto.tuwien.ac.at>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/tree-walk.c b/tree-walk.c
index 8d4b67317f21508a105175686c7ec98a090ed9b5..142205ddc3e33fb8024171daf4c6b1bee1dba476 100644 (file)
--- a/tree-walk.c
+++ b/tree-walk.c
@@ -7,6 +7,9 @@ static const char *get_mode(const char *str, unsigned int *modep)
        unsigned char c;
        unsigned int mode = 0;
 
+       if (*str == ' ')
+               return NULL;
+
        while ((c = *str++) != ' ') {
                if (c < '0' || c > '7')
                        return NULL;
@@ -16,13 +19,16 @@ static const char *get_mode(const char *str, unsigned int *modep)
        return str;
 }
 
-static void decode_tree_entry(struct tree_desc *desc, const void *buf, unsigned long size)
+static void decode_tree_entry(struct tree_desc *desc, const char *buf, unsigned long size)
 {
        const char *path;
        unsigned int mode, len;
 
+       if (size < 24 || buf[size - 21])
+               die("corrupt tree file");
+
        path = get_mode(buf, &mode);
-       if (!path)
+       if (!path || !*path)
                die("corrupt tree file");
        len = strlen(path) + 1;