Document why header parsing won't exceed a window.

[thirdparty/git.git] / sha1_file.c

diff --git a/sha1_file.c b/sha1_file.c
index c30452251943bbb058bc5064aaee4a0033ae22c3..34669693448b9dd106ed6af66816d9e4096cd0d7 100644 (file)
--- a/sha1_file.c
+++ b/sha1_file.c
@@ -903,10 +903,12 @@ static unsigned long get_delta_base(struct packed_git *p,
        unsigned char *base_info = use_pack(p, w_curs, offset, NULL);
        unsigned long base_offset;
 
-       /* there must be at least 20 bytes left regardless of delta type */
-       if (p->pack_size <= offset + 20)
-               die("truncated pack file");
-
+       /* use_pack() assured us we have [base_info, base_info + 20)
+        * as a range that we can look at without walking off the
+        * end of the mapped window.  Its actually the hash size
+        * that is assured.  An OFS_DELTA longer than the hash size
+        * is stupid, as then a REF_DELTA would be smaller to store.
+        */
        if (kind == OBJ_OFS_DELTA) {
                unsigned used = 0;
                unsigned char c = base_info[used++];
@@ -1009,6 +1011,12 @@ static unsigned long unpack_object_header(struct packed_git *p,
        unsigned int left;
        unsigned long used;
 
+       /* use_pack() assures us we have [base, base + 20) available
+        * as a range that we can look at at.  (Its actually the hash
+        * size that is assurred.)  With our object header encoding
+        * the maximum deflated object size is 2^137, which is just
+        * insane, so we know won't exceed what we have been given.
+        */
        base = use_pack(p, w_curs, offset, &left);
        used = unpack_object_header_gently(base, left, type, sizep);
        if (!used)