patch-delta: fix oob read
[git/git.git] / patch-delta.c
CommitLineData
a310d434
NP
1/*
2 * patch-delta.c:
3 * recreate a buffer from a source and the delta produced by diff-delta.c
4 *
03aa8ff3 5 * (C) 2005 Nicolas Pitre <nico@fluxnic.net>
a310d434
NP
6 *
7 * This code is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
10 */
11
57b73150 12#include "git-compat-util.h"
a310d434
NP
13#include "delta.h"
14
08abe669
NP
15void *patch_delta(const void *src_buf, unsigned long src_size,
16 const void *delta_buf, unsigned long delta_size,
a310d434
NP
17 unsigned long *dst_size)
18{
19 const unsigned char *data, *top;
20 unsigned char *dst_buf, *out, cmd;
21 unsigned long size;
a310d434 22
dcde55bc 23 if (delta_size < DELTA_SIZE_MIN)
a310d434
NP
24 return NULL;
25
26 data = delta_buf;
1d7f171c 27 top = (const unsigned char *) delta_buf + delta_size;
a310d434
NP
28
29 /* make sure the orig file size matches what we expect */
8960844a 30 size = get_delta_hdr_size(&data, top);
a310d434
NP
31 if (size != src_size)
32 return NULL;
33
34 /* now the result size */
8960844a 35 size = get_delta_hdr_size(&data, top);
222083a1 36 dst_buf = xmallocz(size);
a310d434
NP
37
38 out = dst_buf;
39 while (data < top) {
40 cmd = *data++;
41 if (cmd & 0x80) {
42 unsigned long cp_off = 0, cp_size = 0;
a310d434
NP
43 if (cmd & 0x01) cp_off = *data++;
44 if (cmd & 0x02) cp_off |= (*data++ << 8);
45 if (cmd & 0x04) cp_off |= (*data++ << 16);
48fb7deb 46 if (cmd & 0x08) cp_off |= ((unsigned) *data++ << 24);
a310d434
NP
47 if (cmd & 0x10) cp_size = *data++;
48 if (cmd & 0x20) cp_size |= (*data++ << 8);
d60fc1c8 49 if (cmd & 0x40) cp_size |= (*data++ << 16);
a310d434 50 if (cp_size == 0) cp_size = 0x10000;
1368f650 51 if (unsigned_add_overflows(cp_off, cp_size) ||
8960844a
NP
52 cp_off + cp_size > src_size ||
53 cp_size > size)
57b73150 54 break;
1d7f171c 55 memcpy(out, (char *) src_buf + cp_off, cp_size);
a310d434 56 out += cp_size;
8960844a
NP
57 size -= cp_size;
58 } else if (cmd) {
21870efc 59 if (cmd > size || cmd > top - data)
57b73150 60 break;
a310d434
NP
61 memcpy(out, data, cmd);
62 out += cmd;
63 data += cmd;
8960844a
NP
64 size -= cmd;
65 } else {
66 /*
67 * cmd == 0 is reserved for future encoding
68 * extensions. In the mean time we must fail when
69 * encountering them (might be data corruption).
70 */
57b73150 71 error("unexpected delta opcode 0");
8960844a 72 goto bad;
a310d434
NP
73 }
74 }
75
76 /* sanity check */
8960844a 77 if (data != top || size != 0) {
57b73150 78 error("delta replay has gone wild");
8960844a 79 bad:
a310d434
NP
80 free(dst_buf);
81 return NULL;
82 }
83
8960844a 84 *dst_size = out - dst_buf;
a310d434
NP
85 return dst_buf;
86}