pack-revindex.c: guard against out-of-bounds pack lookups

The function midx_key_to_pack_pos() is a helper function used by
midx_to_pack_pos() and midx_pair_to_pack_pos() to translate a (pack,
offset) tuple into a position into the MIDX pseudo-pack order.

Ensure that the pack ID given to midx_pair_to_pack_pos() is bounded by
the number of packs within the MIDX to prevent, for instance,
uninitialized memory from being used as a pack ID.

Signed-off-by: Taylor Blau <me@ttaylorr.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/pack-revindex.c b/pack-revindex.c
index fc63aa76a2611fc639475761d9ae4eeba9643cde..93ffca7731ab6801ef883cbf3da6f2eb6cbe716e 100644 (file)
--- a/pack-revindex.c
+++ b/pack-revindex.c
@@ -527,6 +527,9 @@ static int midx_key_to_pack_pos(struct multi_pack_index *m,
 {
        uint32_t *found;
 
+       if (key->pack >= m->num_packs)
+               BUG("MIDX pack lookup out of bounds (%"PRIu32" >= %"PRIu32")",
+                   key->pack, m->num_packs);
        /*
         * The preferred pack sorts first, so determine its identifier by
         * looking at the first object in pseudo-pack order.