From 13e0b0d3dc76353632dcb0bc63cdf03426154317 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Thu, 25 Feb 2016 09:23:26 -0500 Subject: [PATCH] use_pack: handle signed off_t overflow A v2 pack index file can specify an offset within a packfile of up to 2^64-1 bytes. On a system with a signed 64-bit off_t, we can represent only up to 2^63-1. This means that a corrupted .idx file can end up with a negative offset in the pack code. Our bounds-checking use_pack function looks for too-large offsets, but not for ones that have wrapped around to negative. Let's do so, which fixes an out-of-bounds access demonstrated in t5313. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- sha1_file.c | 2 ++ t/t5313-pack-bounds-checks.sh | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/sha1_file.c b/sha1_file.c index bd0f8f7c8d..4a3a032d53 100644 --- a/sha1_file.c +++ b/sha1_file.c @@ -1041,6 +1041,8 @@ unsigned char *use_pack(struct packed_git *p, die("packfile %s cannot be accessed", p->pack_name); if (offset > (p->pack_size - 20)) die("offset beyond end of packfile (truncated pack?)"); + if (offset < 0) + die("offset before end of packfile (broken .idx?)"); if (!win || !in_window(win, offset)) { if (win) diff --git a/t/t5313-pack-bounds-checks.sh b/t/t5313-pack-bounds-checks.sh index 0717746479..a8a587abc3 100755 --- a/t/t5313-pack-bounds-checks.sh +++ b/t/t5313-pack-bounds-checks.sh @@ -136,7 +136,7 @@ test_expect_success 'bogus offset into v2 extended table' ' test_must_fail git index-pack --verify $pack ' -test_expect_failure 'bogus offset inside v2 extended table' ' +test_expect_success 'bogus offset inside v2 extended table' ' # We need two objects here, so we can plausibly require # an extended table (if the first object were larger than 2^31). do_pack "$object $(git rev-parse HEAD)" --index-version=2 &&