libgit2
Potential Security Vulnerabilities: Type Mismatch in PyArg_ParseTuple for Size Parameter
Description:
In pygit2/src/odb_backend.c, the C functions pgit_odb_backend_read and pgit_odb_backend_read_prefix are used as callbacks for libgit2's custom ODB backend mechanism.
The code passes the function parameter sz (which is of type size_t * ) as the argument intended to receive the size:
//pgit_odb_backend_read
if (!PyArg_ParseTuple(result, "ny#", &type_value, &bytes, sz) || !bytes) { ... }
//pgit_odb_backend_read_prefix
if (!PyArg_ParseTuple(result, "ny#O", &type_value, &bytes, sz, &py_oid_out) || !bytes) { ... }
This constitutes passing an incorrect pointer type (size_t * instead of Py_ssize_t *) to PyArg_ParseTuple.
Version
commit hash: cb10c2e39c44cd31ef3d83d6300b8aad4bd473b6
Impact
PyArg_ParseTuple will attempt to write a Py_ssize_t value into memory intended for a size_t. This can lead to:
Memory corruption if sizeof(Py_ssize_t) differs from sizeof(size_t) (potentially causing a buffer overflow during the write within PyArg_ParseTuple if Py_ssize_t is larger).
So, in the following code,
//pgit_odb_backend_read
memcpy(*ptr, bytes, *sz);
//pgit_odb_backend_read_prefix
memcpy(*ptr, bytes, *sz);
If the incorrect *sz value is excessively large, the memcpy call could read past the end of the source buffer (bytes) or write past the end of the newly allocated destination buffer (*ptr), leading to crashes or further memory corruption.
Hi team,
Could you please confirm the bug at your earliest convenience? Thank you.