commit 1c7e06f6ae53cf4a755fe734db7114be67daf35b
Author: Jelmer Vernooĳ <jelmer@google.com>
Date:   Fri Mar 6 12:29:07 2015 +0000

    Fix buffer overflow in C version of apply_delta().
    
    This is CVE-2015-0838.
    
    Thanks to Ivan Fratric of the Google Security Team for
    reporting this issue.

--- a/dulwich/_pack.c
+++ b/dulwich/_pack.c
@@ -146,10 +146,14 @@ static PyObject *py_apply_delta(PyObject
                 break;
 			memcpy(out+outindex, src_buf+cp_off, cp_size);
 			outindex += cp_size;
+			dest_size -= cp_size;
 		} else if (cmd != 0) {
+			if (cmd > dest_size)
+				break;
 			memcpy(out+outindex, delta+index, cmd);
 			outindex += cmd;
-            index += cmd;
+			index += cmd;
+			dest_size -= cmd;
 		} else {
 			PyErr_SetString(PyExc_ValueError, "Invalid opcode 0");
 			Py_DECREF(ret);
@@ -167,7 +171,7 @@ static PyObject *py_apply_delta(PyObject
 		return NULL;
 	}
 
-	if (dest_size != outindex) {
+	if (dest_size != 0) {
         PyErr_SetString(PyExc_ValueError, "dest size incorrect");
 		Py_DECREF(ret);
 		return NULL;
--- a/dulwich/tests/test_pack.py
+++ b/dulwich/tests/test_pack.py
@@ -179,6 +179,14 @@ class TestPackDeltas(TestCase):
     def test_overflow(self):
         self._test_roundtrip(self.test_string_empty, self.test_string_big)
 
+    def test_dest_overflow(self):
+        self.assertRaises(
+            ValueError,
+            apply_delta, 'a'*0x10000, '\x80\x80\x04\x80\x80\x04\x80' + 'a'*0x10000)
+        self.assertRaises(
+            ValueError,
+            apply_delta, '', '\x00\x80\x02\xb0\x11\x11')
+
 
 class TestPackData(PackTests):
     """Tests getting the data from the packfile."""
