git.ipfire.org Git - thirdparty/git.git/commit - t/t4205-log-pretty-formats.sh

author	Patrick Steinhardt <ps@pks.im>
	Thu, 1 Dec 2022 14:47:23 +0000 (15:47 +0100)
committer	Junio C Hamano <gitster@pobox.com>
	Fri, 9 Dec 2022 05:26:21 +0000 (14:26 +0900)
commit	304a50adff6480ede46b68f7545baab542cbfb46
tree	865578d1011a7c2a3ba0b844887a1e96f0f9aaa9	tree \| snapshot
parent	f930a2394303b902e2973f4308f96529f736b8bc	commit \| diff

pretty: restrict input lengths for padding and wrapping formats

Both the padding and wrapping formatting directives allow the caller to
specify an integer that ultimately leads to us adding this many chars to
the result buffer. As a consequence, it is trivial to e.g. allocate 2GB
of RAM via a single formatting directive and cause resource exhaustion
on the machine executing this logic. Furthermore, it is debatable
whether there are any sane usecases that require the user to pad data to
2GB boundaries or to indent wrapped data by 2GB.

Restrict the input sizes to 16 kilobytes at a maximum to limit the
amount of bytes that can be requested by the user. This is not meant
as a fix because there are ways to trivially amplify the amount of
data we generate via formatting directives; the real protection is
achieved by the changes in previous steps to catch and avoid integer
wraparound that causes us to under-allocate and access beyond the
end of allocated memory reagions. But having such a limit
significantly helps fuzzing the pretty format, because the fuzzer is
otherwise quite fast to run out-of-memory as it discovers these
formatters.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

pretty.c		diff \| blob \| blame \| history
t/t4205-log-pretty-formats.sh		diff \| blob \| blame \| history