commit ace4d4e7e066dc48410d8dcf01d45d1a18986627
from: Stefan Sperling <stsp@stsp.name>
via: Thomas Adam <thomas@xteddy.org>
date: Thu May 19 13:34:05 2022 UTC

make got_privsep_recv_tree() reject trees with less than zero entries

commit - 8767bb940965a692a36958085832958a312923bc
commit + ace4d4e7e066dc48410d8dcf01d45d1a18986627
blob - 70dc341711c8c61360f3c8d9af25137cd6b9b9fb
blob + 3192f1d86a5ca080479c324750812a3ceada4201
--- lib/privsep.c
+++ lib/privsep.c
@@ -1616,6 +1616,10 @@ got_privsep_recv_tree(struct got_tree_object **tree, s
 				break;
 			}
 			itree = imsg.data;
+			if (itree->nentries < 0) {
+				err = got_error(GOT_ERR_PRIVSEP_LEN);
+				break;
+			}
 			*tree = malloc(sizeof(**tree));
 			if (*tree == NULL) {
 				err = got_error_from_errno("malloc");