projects
/
git.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
git-svn: eol_cp corner-case fixes
[git.git]
/
patch-delta.c
diff --git
a/patch-delta.c
b/patch-delta.c
index
c0e1311
..
8f318ed
100644
(file)
--- a/
patch-delta.c
+++ b/
patch-delta.c
@@
-13,8
+13,8
@@
#include <string.h>
#include "delta.h"
#include <string.h>
#include "delta.h"
-void *patch_delta(void *src_buf, unsigned long src_size,
- void *delta_buf, unsigned long delta_size,
+void *patch_delta(
const
void *src_buf, unsigned long src_size,
+
const
void *delta_buf, unsigned long delta_size,
unsigned long *dst_size)
{
const unsigned char *data, *top;
unsigned long *dst_size)
{
const unsigned char *data, *top;
@@
-28,12
+28,12
@@
void *patch_delta(void *src_buf, unsigned long src_size,
top = delta_buf + delta_size;
/* make sure the orig file size matches what we expect */
top = delta_buf + delta_size;
/* make sure the orig file size matches what we expect */
- size = get_delta_hdr_size(&data);
+ size = get_delta_hdr_size(&data
, top
);
if (size != src_size)
return NULL;
/* now the result size */
if (size != src_size)
return NULL;
/* now the result size */
- size = get_delta_hdr_size(&data);
+ size = get_delta_hdr_size(&data
, top
);
dst_buf = malloc(size + 1);
if (!dst_buf)
return NULL;
dst_buf = malloc(size + 1);
if (!dst_buf)
return NULL;
@@
-52,21
+52,37
@@
void *patch_delta(void *src_buf, unsigned long src_size,
if (cmd & 0x20) cp_size |= (*data++ << 8);
if (cmd & 0x40) cp_size |= (*data++ << 16);
if (cp_size == 0) cp_size = 0x10000;
if (cmd & 0x20) cp_size |= (*data++ << 8);
if (cmd & 0x40) cp_size |= (*data++ << 16);
if (cp_size == 0) cp_size = 0x10000;
+ if (cp_off + cp_size < cp_size ||
+ cp_off + cp_size > src_size ||
+ cp_size > size)
+ goto bad;
memcpy(out, src_buf + cp_off, cp_size);
out += cp_size;
memcpy(out, src_buf + cp_off, cp_size);
out += cp_size;
- } else {
+ size -= cp_size;
+ } else if (cmd) {
+ if (cmd > size)
+ goto bad;
memcpy(out, data, cmd);
out += cmd;
data += cmd;
memcpy(out, data, cmd);
out += cmd;
data += cmd;
+ size -= cmd;
+ } else {
+ /*
+ * cmd == 0 is reserved for future encoding
+ * extensions. In the mean time we must fail when
+ * encountering them (might be data corruption).
+ */
+ goto bad;
}
}
/* sanity check */
}
}
/* sanity check */
- if (data != top || out - dst_buf != size) {
+ if (data != top || size != 0) {
+ bad:
free(dst_buf);
return NULL;
}
free(dst_buf);
return NULL;
}
- *dst_size =
size
;
+ *dst_size =
out - dst_buf
;
return dst_buf;
}
return dst_buf;
}