From 5378f2121723704221ab05bbf10c954288e60222 Mon Sep 17 00:00:00 2001 From: dongjiao Date: Wed, 8 May 2024 14:35:58 +0800 Subject: [PATCH] Fix t5100-mailinfo.sh error --- git.spec | 9 +- ...-memory-reads-in-unquote_quoted_pair.patch | 115 ++++++++++++++++++ 2 files changed, 123 insertions(+), 1 deletion(-) create mode 100644 mailinfo-fix-out-of-bounds-memory-reads-in-unquote_quoted_pair.patch diff --git a/git.spec b/git.spec index 3bc2935..67b271f 100644 --- a/git.spec +++ b/git.spec @@ -1,7 +1,7 @@ %global gitexecdir %{_libexecdir}/git-core Name: git Version: 2.43.0 -Release: 2 +Release: 3 Summary: A popular and widely used Version Control System License: GPLv2+ or LGPLv2.1 URL: https://git-scm.com/ @@ -13,6 +13,7 @@ Source101: git@.service.in Source102: git.socket Patch0: backport-send-email-avoid-duplicate-specification-warnings.patch +Patch1: mailinfo-fix-out-of-bounds-memory-reads-in-unquote_quoted_pair.patch BuildRequires: gcc gettext BuildRequires: openssl-devel libcurl-devel expat-devel systemd asciidoc xmlto glib2-devel libsecret-devel pcre2-devel desktop-file-utils @@ -297,6 +298,12 @@ make %{?_smp_mflags} test %{_mandir}/man7/git*.7.* %changelog +* Fri May 10 2024 dongjiao - 2.43.0-3 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:Fix t5100-mailinfo.sh error + * Mon Apr 08 2024 fuanan - 2.43.0-2 - Type:bugfix - ID:NA diff --git a/mailinfo-fix-out-of-bounds-memory-reads-in-unquote_quoted_pair.patch b/mailinfo-fix-out-of-bounds-memory-reads-in-unquote_quoted_pair.patch new file mode 100644 index 0000000..1143830 --- /dev/null +++ b/mailinfo-fix-out-of-bounds-memory-reads-in-unquote_quoted_pair.patch @@ -0,0 +1,115 @@ +From d1bd3a8c3424e818f4117a39fe418909e24cea5f Mon Sep 17 00:00:00 2001 +From: Jeff King +Date: Tue, 12 Dec 2023 17:12:43 -0500 +Subject: [PATCH] mailinfo: fix out-of-bounds memory reads in + unquote_quoted_pair() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When processing a header like a "From" line, mailinfo uses +unquote_quoted_pair() to handle double-quotes and rfc822 parenthesized +comments. It takes a NUL-terminated string on input, and loops over the +"in" pointer until it sees the NUL. When it finds the start of an +interesting block, it delegates to helper functions which also increment +"in", and return the updated pointer. + +But there's a bug here: the helpers find the NUL with a post-increment +in the loop condition, like: + + while ((c = *in++) != 0) + +So when they do see a NUL (rather than the correct termination of the +quote or comment section), they return "in" as one _past_ the NUL +terminator. And thus the outer loop in unquote_quoted_pair() does not +realize we hit the NUL, and keeps reading past the end of the buffer. + +We should instead make sure to return "in" positioned at the NUL, so +that the caller knows to stop their loop, too. A hacky way to do this is +to return "in - 1" after leaving the inner loop. But a slightly cleaner +solution is to avoid incrementing "in" until we are sure it contained a +non-NUL byte (i.e., doing it inside the loop body). + +The two tests here show off the problem. Since we check the output, +they'll _usually_ report a failure in a normal build, but it depends on +what garbage bytes are found after the heap buffer. Building with +SANITIZE=address reliably notices the problem. The outcome (both the +exit code and the exact bytes) are just what Git happens to produce for +these cases today, and shouldn't be taken as an endorsement. It might be +reasonable to abort on an unterminated string, for example. The priority +for this patch is fixing the out-of-bounds memory access. + +Reported-by: Carlos Andrés Ramírez Cataño +Signed-off-by: Jeff King +Signed-off-by: Junio C Hamano +--- + mailinfo.c | 8 ++++---- + t/t5100-mailinfo.sh | 22 ++++++++++++++++++++++ + 2 files changed, 26 insertions(+), 4 deletions(-) + +diff --git a/mailinfo.c b/mailinfo.c +index 833d28612f..542d4458f6 100644 +--- a/mailinfo.c ++++ b/mailinfo.c +@@ -56,12 +56,12 @@ static void parse_bogus_from(struct mailinfo *mi, const struct strbuf *line) + + static const char *unquote_comment(struct strbuf *outbuf, const char *in) + { +- int c; + int take_next_literally = 0; + + strbuf_addch(outbuf, '('); + +- while ((c = *in++) != 0) { ++ while (*in) { ++ int c = *in++; + if (take_next_literally == 1) { + take_next_literally = 0; + } else { +@@ -86,10 +86,10 @@ static const char *unquote_comment(struct strbuf *outbuf, const char *in) + + static const char *unquote_quoted_string(struct strbuf *outbuf, const char *in) + { +- int c; + int take_next_literally = 0; + +- while ((c = *in++) != 0) { ++ while (*in) { ++ int c = *in++; + if (take_next_literally == 1) { + take_next_literally = 0; + } else { +diff --git a/t/t5100-mailinfo.sh b/t/t5100-mailinfo.sh +index db11cababd..654d8cf3ee 100755 +--- a/t/t5100-mailinfo.sh ++++ b/t/t5100-mailinfo.sh +@@ -268,4 +268,26 @@ test_expect_success 'mailinfo warn CR in base64 encoded email' ' + test_must_be_empty quoted-cr/0002.err + ' + ++test_expect_success 'from line with unterminated quoted string' ' ++ echo "From: bob \"unterminated string smith " >in && ++ git mailinfo /dev/null /dev/null actual && ++ cat >expect <<-\EOF && ++ Author: bob unterminated string smith ++ Email: bob@example.com ++ ++ EOF ++ test_cmp expect actual ++' ++ ++test_expect_success 'from line with unterminated comment' ' ++ echo "From: bob (unterminated comment smith " >in && ++ git mailinfo /dev/null /dev/null actual && ++ cat >expect <<-\EOF && ++ Author: bob (unterminated comment smith ++ Email: bob@example.com ++ ++ EOF ++ test_cmp expect actual ++' ++ + test_done +-- +2.27.0 + -- Gitee