commit - 3e6054c427d642654d5abed63965eead037a7b2f
commit + c98b0f0b57cce101941efd993eac8b9e3be2a70a
blob - 21a5f45a6a3532a761fd10a3571500e8c14f8087
blob + 0524ef11c75a6736de2b1e1866663ad0304d4b44
--- lib/privsep.c
+++ lib/privsep.c
break;
}
- if (*size + *hdrlen > GOT_PRIVSEP_INLINE_OBJECT_DATA_MAX) {
+ if (*size < 0 ||
+ *size + *hdrlen > GOT_PRIVSEP_INLINE_OBJECT_DATA_MAX) {
err = got_error(GOT_ERR_PRIVSEP_LEN);
break;
}
break;
}
iprogress = (struct got_imsg_index_pack_progress *)imsg.data;
+ if (iprogress->nobj_total < 0 || iprogress->nobj_indexed < 0 ||
+ iprogress->nobj_loose < 0 || iprogress->nobj_resolved < 0) {
+ err = got_error(GOT_ERR_RANGE);
+ break;
+ }
*nobj_total = iprogress->nobj_total;
*nobj_indexed = iprogress->nobj_indexed;
*nobj_loose = iprogress->nobj_loose;
return got_error(GOT_ERR_PRIVSEP_LEN);
iobj = imsg->data;
+ if (iobj->pack_offset < 0)
+ return got_error(GOT_ERR_PACK_OFFSET);
+
*obj = calloc(1, sizeof(**obj));
if (*obj == NULL)
return got_error_from_errno("calloc");
break;
}
- if (*size > GOT_PRIVSEP_INLINE_BLOB_DATA_MAX) {
+ if (*size > GOT_PRIVSEP_INLINE_BLOB_DATA_MAX ||
+ *size > datalen + sizeof(*iblob)) {
err = got_error(GOT_ERR_PRIVSEP_LEN);
break;
}
break;
}
memcpy(&iremotes, imsg.data, sizeof(iremotes));
+ if (iremotes.nremotes < 0) {
+ err = got_error(GOT_ERR_PRIVSEP_LEN);
+ break;
+ }
if (iremotes.nremotes == 0) {
imsg_free(&imsg);
return NULL;
break;
}
idlist = imsg.data;
- if (idlist->nids > GOT_IMSG_OBJ_ID_LIST_MAX_NIDS) {
+ if (idlist->nids > GOT_IMSG_OBJ_ID_LIST_MAX_NIDS ||
+ idlist->nids * sizeof(**ids) > datalen - sizeof(*idlist)) {
err = got_error(GOT_ERR_PRIVSEP_LEN);
break;
}
break;
}
ideltas = imsg.data;
- if (ideltas->ndeltas > GOT_IMSG_OBJ_ID_LIST_MAX_NIDS) {
+ if (ideltas->ndeltas > GOT_IMSG_OBJ_ID_LIST_MAX_NIDS ||
+ ideltas->ndeltas * sizeof(*deltas) >
+ datalen - sizeof(*ideltas)) {
err = got_error(GOT_ERR_PRIVSEP_LEN);
break;
}