packfile: avoid overflowing shift during decode

unpack_object_header_buffer() attempts to protect against overflowing
left shifts, but the limit of the shift amount should not be the size of
the variable being shifted. It should be the size minus the size of its
contents. Fix that accordingly.

This was noticed at $DAYJOB by a fuzzer running internally.

Signed-off-by: Jonathan Tan <jonathantanmy@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/packfile.c b/packfile.c
index 9ef6d98292808718dfadc3b9efec0fb0dc2275f5..d3820c780b46605e11817d479880a99959a2bddf 100644 (file)
--- a/packfile.c
+++ b/packfile.c
@@ -1067,7 +1067,7 @@ unsigned long unpack_object_header_buffer(const unsigned char *buf,
        size = c & 15;
        shift = 4;
        while (c & 0x80) {
-               if (len <= used || bitsizeof(long) <= shift) {
+               if (len <= used || (bitsizeof(long) - 7) <= shift) {
                        error("bad object header");
                        size = used = 0;
                        break;