From: Taylor Blau <me@ttaylorr.com>
Date: Tue, 11 Jun 2024 17:28:24 +0000 (-0400)
Subject: pack-revindex.c: guard against out-of-bounds pack lookups
X-Git-Tag: v2.46.0-rc0~46^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e162aed591154612cbc646ab19808096d226fce5;p=thirdparty%2Fgit.git

pack-revindex.c: guard against out-of-bounds pack lookups

The function midx_key_to_pack_pos() is a helper function used by
midx_to_pack_pos() and midx_pair_to_pack_pos() to translate a (pack,
offset) tuple into a position into the MIDX pseudo-pack order.

Ensure that the pack ID given to midx_pair_to_pack_pos() is bounded by
the number of packs within the MIDX to prevent, for instance,
uninitialized memory from being used as a pack ID.

Signed-off-by: Taylor Blau <me@ttaylorr.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---

diff --git a/pack-revindex.c b/pack-revindex.c
index fc63aa76a2..93ffca7731 100644
--- a/pack-revindex.c
+++ b/pack-revindex.c
@@ -527,6 +527,9 @@ static int midx_key_to_pack_pos(struct multi_pack_index *m,
 {
 	uint32_t *found;
 
+	if (key->pack >= m->num_packs)
+		BUG("MIDX pack lookup out of bounds (%"PRIu32" >= %"PRIu32")",
+		    key->pack, m->num_packs);
 	/*
 	 * The preferred pack sorts first, so determine its identifier by
 	 * looking at the first object in pseudo-pack order.