Btw, this other test case will trigger a similar issue, but in another line of 

To reproduce: 

$ git init ; mkdir -p .git/objects/b2 ; printf 
 | base64 -d > .git/objects/b2/93584ddd61af21260be75ee9f73e9d53f08cd0


$ git fsck

notice: HEAD points to an unborn branch (master)
==24569==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7ffe7645fda0 at pc 0x0000006fe799 bp 0x7ffe7645fc40 sp 0x7ffe7645fc30
READ of size 1 at 0x7ffe7645fda0 thread T0
    #0 0x6fe798 in parse_sha1_header_extended 

It will be nice to test the current patch.

----- Original Message -----
> Junio C Hamano <> writes:
> > I am inclined to say that it has no security implications.  You have
> > to be able to write a bogus loose object in an object store you
> > already have write access to in the first place, in order to cause
> > this ...
> Note that you could social-engineer others to fetch from you and
> feed a small enough update that results in loose objects created in
> their repositories, without you having a direct write access to the
> repository.
> The codepath under discussion in this thread however cannot be used
> as an attack vector via that route, because the "fetch from
> elsewhere" codepath runs verification of the incoming data stream
> before storing the results (either in loose object files, or in a
> packfile) on disk.

Reply via email to