Skip to content

Commit e1e12e9

Browse files
pks-tgitster
pks-t
authored and
gitster
committed
attr: fix integer overflow with more than INT_MAX macros
Attributes have a field that tracks the position in the `all_attrs` array they're stored inside. This field gets set via `hashmap_get_size` when adding the attribute to the global map of attributes. But while the field is of type `int`, the value returned by `hashmap_get_size` is an `unsigned int`. It can thus happen that the value overflows, where we would now dereference teh `all_attrs` array at an out-of-bounds value. We do have a sanity check for this overflow via an assert that verifies the index matches the new hashmap's size. But asserts are not a proper mechanism to detect against any such overflows as they may not in fact be compiled into production code. Fix this by using an `unsigned int` to track the index and convert the assert to a call `die()`. Reported-by: Jeff King <[email protected]> Signed-off-by: Junio C Hamano <[email protected]>
1 parent 447ac90 commit e1e12e9

File tree

1 file changed

+5
-5
lines changed

1 file changed

+5
-5
lines changed

attr.c

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ static const char git_attr__unknown[] = "(builtin)unknown";
2828
#endif
2929

3030
struct git_attr {
31-
int attr_nr; /* unique attribute number */
31+
unsigned int attr_nr; /* unique attribute number */
3232
char name[FLEX_ARRAY]; /* attribute name */
3333
};
3434

@@ -226,8 +226,8 @@ static const struct git_attr *git_attr_internal(const char *name, size_t namelen
226226
a->attr_nr = hashmap_get_size(&g_attr_hashmap.map);
227227

228228
attr_hashmap_add(&g_attr_hashmap, a->name, namelen, a);
229-
assert(a->attr_nr ==
230-
(hashmap_get_size(&g_attr_hashmap.map) - 1));
229+
if (a->attr_nr != hashmap_get_size(&g_attr_hashmap.map) - 1)
230+
die(_("unable to add additional attribute"));
231231
}
232232

233233
hashmap_unlock(&g_attr_hashmap);
@@ -1064,7 +1064,7 @@ static void determine_macros(struct all_attrs_item *all_attrs,
10641064
for (i = stack->num_matches; i > 0; i--) {
10651065
const struct match_attr *ma = stack->attrs[i - 1];
10661066
if (ma->is_macro) {
1067-
int n = ma->u.attr->attr_nr;
1067+
unsigned int n = ma->u.attr->attr_nr;
10681068
if (!all_attrs[n].macro) {
10691069
all_attrs[n].macro = ma;
10701070
}
@@ -1116,7 +1116,7 @@ void git_check_attr(const struct index_state *istate,
11161116
collect_some_attrs(istate, path, check);
11171117

11181118
for (i = 0; i < check->nr; i++) {
1119-
size_t n = check->items[i].attr->attr_nr;
1119+
unsigned int n = check->items[i].attr->attr_nr;
11201120
const char *value = check->all_attrs[n].value;
11211121
if (value == ATTR__UNKNOWN)
11221122
value = ATTR__UNSET;

0 commit comments

Comments
 (0)