From b8dc2fdb92c350b786fe4cb27e9b841b794c1e86 Mon Sep 17 00:00:00 2001 From: Edward Thomson Date: Thu, 9 Jul 2015 18:36:53 -0500 Subject: [PATCH] zstream: fail when asked to inflate garbage When we are provided some input buffer (with a length) to inflate, and it contains more data than simply the deflated data, fail. zlib will helpfully tell us when it is done reading (via Z_STREAM_END), so if there is data leftover in the input buffer, fail lest we continually try to inflate it. --- src/zstream.c | 5 +++++ tests/core/zstream.c | 19 +++++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/src/zstream.c b/src/zstream.c index 6533449e8..d9ad4ca89 100644 --- a/src/zstream.c +++ b/src/zstream.c @@ -86,6 +86,11 @@ int git_zstream_get_output(void *out, size_t *out_len, git_zstream *zstream) int zflush = Z_FINISH; size_t out_remain = *out_len; + if (zstream->in_len && zstream->zerr == Z_STREAM_END) { + giterr_set(GITERR_ZLIB, "zlib input had trailing garbage"); + return -1; + } + while (out_remain > 0 && zstream->zerr != Z_STREAM_END) { size_t out_queued, in_queued, out_used, in_used; diff --git a/tests/core/zstream.c b/tests/core/zstream.c index b13429b0a..961904ec3 100644 --- a/tests/core/zstream.c +++ b/tests/core/zstream.c @@ -58,6 +58,25 @@ void test_core_zstream__basic(void) assert_zlib_equal(data, strlen(data) + 1, out, outlen); } +void test_core_zstream__fails_on_trailing_garbage(void) +{ + git_buf deflated = GIT_BUF_INIT, inflated = GIT_BUF_INIT; + size_t i = 0; + + /* compress a simple string */ + git_zstream_deflatebuf(&deflated, "foobar!!", 8); + + /* append some garbage */ + for (i = 0; i < 10; i++) { + git_buf_putc(&deflated, i); + } + + cl_git_fail(git_zstream_inflatebuf(&inflated, deflated.ptr, deflated.size)); + + git_buf_free(&deflated); + git_buf_free(&inflated); +} + void test_core_zstream__buffer(void) { git_buf out = GIT_BUF_INIT;