better validation on delta base object offsets
In one case, it was possible to have a bad offset equal to 0 effectively pointing a delta onto itself and crashing git after too many recursions. In the other cases, a negative offset could result due to off_t being signed. Catch those. Signed-off-by: Nicolas Pitre <nico@cam.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
Nicolas Pitre
committed by
Junio C Hamano
Junio C Hamano
parent
0e8189e270
commit
d8f325563d
@ -334,7 +334,7 @@ static void *unpack_raw_entry(struct object_entry *obj, union delta_base *delta_
|
||||
base_offset = (base_offset << 7) + (c & 127);
|
||||
}
|
||||
delta_base->offset = obj->idx.offset - base_offset;
|
||||
if (delta_base->offset >= obj->idx.offset)
|
||||
if (delta_base->offset <= 0 || delta_base->offset >= obj->idx.offset)
|
||||
bad_object(obj->idx.offset, "delta base offset is out of bound");
|
||||
break;
|
||||
case OBJ_COMMIT:
|
||||
|
||||
Reference in New Issue
Block a user