)]}'
{
  "commit": "0ca6ead81edd4fb1984b69aae87c1189e3025530",
  "tree": "84d7ef2636338c14dc24372b0af71c76e1adb835",
  "parents": [
    "71ad7fe1bcec2a115bd0ab187240348358aa7f21"
  ],
  "author": {
    "name": "Kevin Backhouse",
    "email": "kevinbackhouse@github.com",
    "time": "Wed Sep 28 18:53:32 2022 -0400"
  },
  "committer": {
    "name": "Taylor Blau",
    "email": "me@ttaylorr.com",
    "time": "Sat Oct 01 00:23:38 2022 -0400"
  },
  "message": "alias.c: reject too-long cmdline strings in split_cmdline()\n\nThis function improperly uses an int to represent the number of entries\nin the resulting argument array. This allows a malicious actor to\nintentionally overflow the return value, leading to arbitrary heap\nwrites.\n\nBecause the resulting argv array is typically passed to execv(), it may\nbe possible to leverage this attack to gain remote code execution on a\nvictim machine. This was almost certainly the case for certain\nconfigurations of git-shell until the previous commit limited the size\nof input it would accept. Other calls to split_cmdline() are typically\nlimited by the size of argv the OS is willing to hand us, so are\nsimilarly protected.\n\nSo this is not strictly fixing a known vulnerability, but is a hardening\nof the function that is worth doing to protect against possible unknown\nvulnerabilities.\n\nOne approach to fixing this would be modifying the signature of\n`split_cmdline()` to look something like:\n\n    int split_cmdline(char *cmdline, const char ***argv, size_t *argc);\n\nWhere the return value of `split_cmdline()` is negative for errors, and\nzero otherwise. If non-NULL, the `*argc` pointer is modified to contain\nthe size of the `**argv` array.\n\nBut this implies an absurdly large `argv` array, which more than likely\nlarger than the system\u0027s argument limit. So even if split_cmdline()\nallowed this, it would fail immediately afterwards when we called\nexecv(). So instead of converting all of `split_cmdline()`\u0027s callers to\nwork with `size_t` types in this patch, instead pursue the minimal fix\nhere to prevent ever returning an array with more than INT_MAX entries\nin it.\n\nSigned-off-by: Kevin Backhouse \u003ckevinbackhouse@github.com\u003e\nSigned-off-by: Taylor Blau \u003cme@ttaylorr.com\u003e\nSigned-off-by: Jeff King \u003cpeff@peff.net\u003e\nSigned-off-by: Taylor Blau \u003cme@ttaylorr.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "c4715380205b5f8dd032b16ade846842fa3c23b9",
      "old_mode": 33188,
      "old_path": "alias.c",
      "new_id": "00abde081739436236aa077412c3b5b686144f42",
      "new_mode": 33188,
      "new_path": "alias.c"
    }
  ]
}