1 files changed, 90 insertions, 0 deletions

diff --git a/meta/recipes-devtools/git/files/CVE-2022-41903-06.patch b/meta/recipes-devtools/git/files/CVE-2022-41903-06.patch
new file mode 100644
index 0000000000..93fbe5c7fe
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2022-41903-06.patch
@@ -0,0 +1,90 @@
+From 48050c42c73c28b0c001d63d11dffac7e116847b Mon Sep 17 00:00:00 2001
+From: Patrick Steinhardt <ps@pks.im>
+Date: Thu, 1 Dec 2022 15:46:49 +0100
+Subject: [PATCH 06/12] pretty: fix integer overflow in wrapping format
+
+The `%w(width,indent1,indent2)` formatting directive can be used to
+rewrap text to a specific width and is designed after git-shortlog(1)'s
+`-w` parameter. While the three parameters are all stored as `size_t`
+internally, `strbuf_add_wrapped_text()` accepts integers as input. As a
+result, the casted integers may overflow. As these now-negative integers
+are later on passed to `strbuf_addchars()`, we will ultimately run into
+implementation-defined behaviour due to casting a negative number back
+to `size_t` again. On my platform, this results in trying to allocate
+9000 petabyte of memory.
+
+Fix this overflow by using `cast_size_t_to_int()` so that we reject
+inputs that cannot be represented as an integer.
+
+Signed-off-by: Patrick Steinhardt <ps@pks.im>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+
+Upstream-Status: Backport [https://github.com/git/git/commit/48050c42c73c28b0c001d63d11dffac7e116847b]
+CVE: CVE-2022-41903
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ git-compat-util.h             |  8 ++++++++
+ pretty.c                      |  4 +++-
+ t/t4205-log-pretty-formats.sh | 12 ++++++++++++
+ 3 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/git-compat-util.h b/git-compat-util.h
+index a1ecfd3..b0f3890 100644
+--- a/git-compat-util.h
++++ b/git-compat-util.h
+@@ -854,6 +854,14 @@ static inline size_t st_sub(size_t a, size_t b)
+ 	return a - b;
+ }
+ 
++static inline int cast_size_t_to_int(size_t a)
++{
++	if (a > INT_MAX)
++		die("number too large to represent as int on this platform: %"PRIuMAX,
++		    (uintmax_t)a);
++	return (int)a;
++}
++
+ #ifdef HAVE_ALLOCA_H
+ # include <alloca.h>
+ # define xalloca(size)      (alloca(size))
+diff --git a/pretty.c b/pretty.c
+index 195d005..ff9fc97 100644
+--- a/pretty.c
++++ b/pretty.c
+@@ -898,7 +898,9 @@ static void strbuf_wrap(struct strbuf *sb, size_t pos,
+ 	if (pos)
+ 		strbuf_add(&tmp, sb->buf, pos);
+ 	strbuf_add_wrapped_text(&tmp, sb->buf + pos,
+-				(int) indent1, (int) indent2, (int) width);
++				cast_size_t_to_int(indent1),
++				cast_size_t_to_int(indent2),
++				cast_size_t_to_int(width));
+ 	strbuf_swap(&tmp, sb);
+ 	strbuf_release(&tmp);
+ }
+diff --git a/t/t4205-log-pretty-formats.sh b/t/t4205-log-pretty-formats.sh
+index fa1bc2b..23ac508 100755
+--- a/t/t4205-log-pretty-formats.sh
++++ b/t/t4205-log-pretty-formats.sh
+@@ -808,6 +808,18 @@ test_expect_success 'log --pretty with magical wrapping directives' '
+ 	test_cmp expect actual
+ '
+ 
++test_expect_success SIZE_T_IS_64BIT 'log --pretty with overflowing wrapping directive' '
++	cat >expect <<-EOF &&
++	fatal: number too large to represent as int on this platform: 2147483649
++	EOF
++	test_must_fail git log -1 --pretty="format:%w(2147483649,1,1)%d" 2>error &&
++	test_cmp expect error &&
++	test_must_fail git log -1 --pretty="format:%w(1,2147483649,1)%d" 2>error &&
++	test_cmp expect error &&
++	test_must_fail git log -1 --pretty="format:%w(1,1,2147483649)%d" 2>error &&
++	test_cmp expect error
++'
++
+ test_expect_success EXPENSIVE,SIZE_T_IS_64BIT 'log --pretty with huge commit message' '
+ 	# We only assert that this command does not crash. This needs to be
+ 	# executed with the address sanitizer to demonstrate failure.
+-- 
+2.25.1
+