git.ipfire.org Git - thirdparty/git.git/commit

author	Taylor Blau <me@ttaylorr.com>
	Wed, 12 Jul 2023 23:37:57 +0000 (19:37 -0400)
committer	Junio C Hamano <gitster@pobox.com>
	Fri, 14 Jul 2023 16:32:03 +0000 (09:32 -0700)
commit	209250ef38f353f174ee9e90e55f5a4605449f70
tree	20184dea98066894f2b8eae9d2eda2922d887397	tree \| snapshot
parent	48f3f8cf37043f69e9834d38e2439abfde280964	commit \| diff

commit-graph.c: prevent overflow in add_graph_to_chain()

The commit-graph uses a fanout table with 4-byte entries to store the
number of commits at each shard of the commit-graph. So it is OK to have
a commit graph with as many as 2^32-1 stored commits. But we risk
overflowing any computation which may exceed the 32-bit (unsigned)
maximum when those computations are (incorrectly) performed using 32-bit
operands.

There are a couple of spots in `add_graph_to_chain()` where we could
potentially overflow the result:

  - First, when comparing the list of existing entries in the
    commit-graph chain. It is unlikely that this should ever overflow,
    since it would require having roughly 2^32-1/g->hash_len
    commit-graphs in the chain. But let's guard that computation with a
    `st_mult()` just to be safe.

  - Second, when computing the number of commits in the graph added to
    the front of the chain. This value is also a 32-bit unsigned, but we
    should make sure that it does not grow beyond the maximum value.

Signed-off-by: Taylor Blau <me@ttaylorr.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>