midx: double-check large object write loop

The write_midx_large_offsets() function takes an array of object
entries, the number of entries in the array (nr_objects), and the number
of entries with large offsets (nr_large_offset). But we never actually
use nr_objects; instead we keep walking down the array and counting down
nr_large_offset until we've seen all of the large entries.

This is correct, but we can be a bit more defensive. If there were ever
a mismatch between nr_large_offset and the actual set of large-offset
objects, we'd walk off the end of the array.

Since we know the size of the array, we can use nr_objects to make sure
we don't walk too far.

Signed-off-by: Jeff King <peff@peff.net>
Reviewed-by: Derrick Stolee <dstolee@microsoft.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/midx.c b/midx.c
index 4fac0cd08ab9b2a78096c57518d2ea8cd1db96a2..ecd583666ad6e8a756e291dfcd1eb7ec715ada2c 100644 (file)
--- a/midx.c
+++ b/midx.c
@@ -712,12 +712,18 @@ static size_t write_midx_object_offsets(struct hashfile *f, int large_offset_nee
 static size_t write_midx_large_offsets(struct hashfile *f, uint32_t nr_large_offset,
                                       struct pack_midx_entry *objects, uint32_t nr_objects)
 {
-       struct pack_midx_entry *list = objects;
+       struct pack_midx_entry *list = objects, *end = objects + nr_objects;
        size_t written = 0;
 
        while (nr_large_offset) {
-               struct pack_midx_entry *obj = list++;
-               uint64_t offset = obj->offset;
+               struct pack_midx_entry *obj;
+               uint64_t offset;
+
+               if (list >= end)
+                       BUG("too many large-offset objects");
+
+               obj = list++;
+               offset = obj->offset;
 
                if (!(offset >> 31))
                        continue;