r38599 | hwright | 2009-08-06 14:53:51 -0500 (Thu, 06 Aug 2009)
Fix various issues (including security holes) related to integer overflow in
Note that this does assume that nobody is sending us delta windows larger than
the 100K (SVN_DELTA_WINDOW_SIZE) that we generate. Since we only promise to be
API-compatible, not wire-protocol compatible (ie, notes/svndiff is instructions
to svn developers, not to reimplementors), this should be safe. We did confirm
that SVNKit uses the same window size.
(MAX_ENCODED_INT_LEN, MAX_INSTRUCTION_LEN, MAX_INSTRUCTION_SECTION_LEN): New.
(encode_int): Document that the buffer size must be at least
MAX_ENCODED_INT_LEN, and assert that we are only writing that much.
(append_encoded_int, window_handler): Use new constants for buffer
(decode_file_offset, decode_size): Don't try to read more than
(zlib_decode): Check return value from decode_size. Enforce a limit
on decoded data size.
(count_and_verify_instructions): Switch distracting (unsigned_int <= 0) to
just be (unsigned_int == 0). Ensure that op.offset is not greater than
sview_len for from-source operations.
(decode_window): Pass appropriate size limits to zlib_decode.
(write_handler, read_window_header): Ensure that the various lengths are not
greater than the window size that Subversion code generates.
(size_buffer): Assert that the buffer we're allocating won't overflow in
apr_palloc. Make it return svn_error_t *.
Patch by: Matt Lewis <email@example.com>