commit a396f31332bc05dfcba73d72e5aabedddf20508f
from: Stefan Sperling <stsp@stsp.name>
via: Thomas Adam <thomas@xteddy.org>
date: Thu May 19 13:34:05 2022 UTC

prevent an out-of-bounds access in got_privsep_recv_tree()

commit - c3bacae2a3794d951de554d609750fcf4ef316fa
commit + a396f31332bc05dfcba73d72e5aabedddf20508f
blob - e3b29490bfb7f4d880832f0ed597164fb4b17d1f
blob + a3cb9d7820ffe91d57560e008a9011a0bc75616b
--- lib/privsep.c
+++ lib/privsep.c
@@ -1657,6 +1657,10 @@ got_privsep_recv_tree(struct got_tree_object **tree, s
 
 			if (datalen + 1 > sizeof(te->name)) {
 				err = got_error(GOT_ERR_NO_SPACE);
+				break;
+			}
+			if (nentries >= (*tree)->nentries) {
+				err = got_error(GOT_ERR_PRIVSEP_LEN);
 				break;
 			}
 			te = &(*tree)->entries[nentries];