use_pack: handle signed off_t overflow
A v2 pack index file can specify an offset within a packfile of up to 2^64-1 bytes. On a system with a signed 64-bit off_t, we can represent only up to 2^63-1. This means that a corrupted .idx file can end up with a negative offset in the pack code. Our bounds-checking use_pack function looks for too-large offsets, but not for ones that have wrapped around to negative. Let's do so, which fixes an out-of-bounds access demonstrated in t5313. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
parent
47fe3f6ef0
commit
13e0b0d3dc
@ -1041,6 +1041,8 @@ unsigned char *use_pack(struct packed_git *p,
|
||||
die("packfile %s cannot be accessed", p->pack_name);
|
||||
if (offset > (p->pack_size - 20))
|
||||
die("offset beyond end of packfile (truncated pack?)");
|
||||
if (offset < 0)
|
||||
die("offset before end of packfile (broken .idx?)");
|
||||
|
||||
if (!win || !in_window(win, offset)) {
|
||||
if (win)
|
||||
|
@ -136,7 +136,7 @@ test_expect_success 'bogus offset into v2 extended table' '
|
||||
test_must_fail git index-pack --verify $pack
|
||||
'
|
||||
|
||||
test_expect_failure 'bogus offset inside v2 extended table' '
|
||||
test_expect_success 'bogus offset inside v2 extended table' '
|
||||
# We need two objects here, so we can plausibly require
|
||||
# an extended table (if the first object were larger than 2^31).
|
||||
do_pack "$object $(git rev-parse HEAD)" --index-version=2 &&
|
||||
|
Loading…
Reference in New Issue
Block a user