Vivek and I discovered a couple of security bugs in the git index handling mechanism in libgit2, an year back. There were two CVEs assigned for the two issues discovered. CVE-2018-8098 - Integer overflow which causes out-of-bounds read. CVE-2018-8099 - Double free caused by incorrect return value. Following is the mail I originally sent out to libgit2 maintainers for reporting the vulnerabilities. Double-Free In read_entry() function, git_decode_varint() can be made to fail with it returning varint_len as 0.
My first pull request to libgit2 project. It was this particular issue #3817, I chose to resolve. It was a bug in git_config_parse_int64() function in parsing MIN_INT64 (-9223372036854775808) It is a minor bug, which occurs in the rarest of the cases. Neverthless, it was fun to debug and fix this one. A cursory look at the code tells the following. Check if the number is positive or negative if (*p == ‘-’ || *p == ‘+’) if (*p++ == ‘-’) neg = 1; ovfl - overflow flag nn - number n - assign after overflow Code: