From 48050c42c73c28b0c001d63d11dffac7e116847b Mon Sep 17 00:00:00 2001 From: Patrick Steinhardt Date: Thu, 1 Dec 2022 15:46:49 +0100 Subject: pretty: fix integer overflow in wrapping format The `%w(width,indent1,indent2)` formatting directive can be used to rewrap text to a specific width and is designed after git-shortlog(1)'s `-w` parameter. While the three parameters are all stored as `size_t` internally, `strbuf_add_wrapped_text()` accepts integers as input. As a result, the casted integers may overflow. As these now-negative integers are later on passed to `strbuf_addchars()`, we will ultimately run into implementation-defined behaviour due to casting a negative number back to `size_t` again. On my platform, this results in trying to allocate 9000 petabyte of memory. Fix this overflow by using `cast_size_t_to_int()` so that we reject inputs that cannot be represented as an integer. Signed-off-by: Patrick Steinhardt Signed-off-by: Junio C Hamano --- t/t4205-log-pretty-formats.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 't/t4205-log-pretty-formats.sh') diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh index 1d768f7244..c88b64d08b 100755 --- a/t/t4205-log-pretty-formats.sh +++ b/t/t4205-log-pretty-formats.sh @@ -887,6 +887,18 @@ test_expect_success 'log --pretty with magical wrapping directives' ' test_cmp expect actual ' +test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing wrapping directive' ' + cat >expect <<-EOF && + fatal: number too large to represent as int on this platform: 2147483649 + EOF + test_must_fail git log -1 --pretty="format:%w(2147483649,1,1)%d" 2>error && + test_cmp expect error && + test_must_fail git log -1 --pretty="format:%w(1,2147483649,1)%d" 2>error && + test_cmp expect error && + test_must_fail git log -1 --pretty="format:%w(1,1,2147483649)%d" 2>error && + test_cmp expect error +' + test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' ' # We only assert that this command does not crash. This needs to be # executed with the address sanitizer to demonstrate failure. -- cgit v1.2.3