summaryrefslogtreecommitdiff
path: root/sha1_file.c
diff options
context:
space:
mode:
authorJeff King <peff@peff.net>2016-02-25 09:23:26 -0500
committerJunio C Hamano <gitster@pobox.com>2016-02-25 11:32:46 -0800
commit13e0b0d3dc76353632dcb0bc63cdf03426154317 (patch)
treea9ecffdfc2b839b81fc7b4d5aa1e543639a9cec3 /sha1_file.c
parent47fe3f6ef0f5a336db90d816c5fb4330ffa23668 (diff)
downloadgit-13e0b0d3dc76353632dcb0bc63cdf03426154317.tar.gz
use_pack: handle signed off_t overflow
A v2 pack index file can specify an offset within a packfile of up to 2^64-1 bytes. On a system with a signed 64-bit off_t, we can represent only up to 2^63-1. This means that a corrupted .idx file can end up with a negative offset in the pack code. Our bounds-checking use_pack function looks for too-large offsets, but not for ones that have wrapped around to negative. Let's do so, which fixes an out-of-bounds access demonstrated in t5313. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'sha1_file.c')
-rw-r--r--sha1_file.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/sha1_file.c b/sha1_file.c
index bd0f8f7c8d..4a3a032d53 100644
--- a/sha1_file.c
+++ b/sha1_file.c
@@ -1041,6 +1041,8 @@ unsigned char *use_pack(struct packed_git *p,
die("packfile %s cannot be accessed", p->pack_name);
if (offset > (p->pack_size - 20))
die("offset beyond end of packfile (truncated pack?)");
+ if (offset < 0)
+ die("offset before end of packfile (broken .idx?)");
if (!win || !in_window(win, offset)) {
if (win)