diff options
| author | Taylor Blau <me@ttaylorr.com> | 2023-07-14 03:54:54 +0300 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2023-07-14 19:31:34 +0300 |
| commit | 42be681b33ef73be056fb99e3c63c6e9b9c2e7ef (patch) | |
| tree | dcdb2e0ebeebbd83ba1e560792edeb69225a6888 /packfile.c | |
| parent | de41d03e1c7ab73174716c99b8eaf7ff5884d6bb (diff) | |
packfile.c: prevent overflow in `load_idx()`
Prevent an overflow when locating a pack's CRC offset when the number
of packed items is greater than 2^32-1/hashsz by guarding the
computation with an `st_mult()`.
Note that to avoid truncating the result, the `crc_offset` member must
itself become a `size_t`. The only usage of this variable (besides the
assignment in `load_idx()`) is in `read_v2_anomalous_offsets()` in the
index-pack code. There we use the `crc_offset` as a pointer offset, so
we are already equipped to handle the type change.
Helped-by: Phillip Wood <phillip.wood@dunelm.org.uk>
Signed-off-by: Taylor Blau <me@ttaylorr.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'packfile.c')
| -rw-r--r-- | packfile.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/packfile.c b/packfile.c index 5ee67de569..efe4a22c63 100644 --- a/packfile.c +++ b/packfile.c @@ -186,7 +186,7 @@ int load_idx(const char *path, const unsigned int hashsz, void *idx_map, */ (sizeof(off_t) <= 4)) return error("pack too large for current definition of off_t in %s", path); - p->crc_offset = 8 + 4 * 256 + nr * hashsz; + p->crc_offset = st_add(8 + 4 * 256, st_mult(nr, hashsz)); } p->index_version = version; |