packfile.c: prevent overflow in `load_idx()`

Prevent an overflow when locating a pack's CRC offset when the number
of packed items is greater than 2^32-1/hashsz by guarding the
computation with an `st_mult()`.

Note that to avoid truncating the result, the `crc_offset` member must
itself become a `size_t`. The only usage of this variable (besides the
assignment in `load_idx()`) is in `read_v2_anomalous_offsets()` in the
index-pack code. There we use the `crc_offset` as a pointer offset, so
we are already equipped to handle the type change.

Helped-by: Phillip Wood <phillip.wood@dunelm.org.uk>
Signed-off-by: Taylor Blau <me@ttaylorr.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/object-store.h b/object-store.h
index 12415e5ea739d74df5f351ab5da41bcd862827aa..cfe47c9c07b895bd207444725d30236eec47b945 100644 (file)
--- a/object-store.h
+++ b/object-store.h
@@ -110,7 +110,7 @@ struct packed_git {
        const void *index_data;
        size_t index_size;
        uint32_t num_objects;
-       uint32_t crc_offset;
+       size_t crc_offset;
        struct oidset bad_objects;
        int index_version;
        time_t mtime;

diff --git a/packfile.c b/packfile.c
index 5ee67de569ea0c85cb0caad4e18ab5fe7d2c4fa9..efe4a22c63c25a9149731a1c46c3774fa7c7de4b 100644 (file)
--- a/packfile.c
+++ b/packfile.c
@@ -186,7 +186,7 @@ int load_idx(const char *path, const unsigned int hashsz, void *idx_map,
                     */
                    (sizeof(off_t) <= 4))
                        return error("pack too large for current definition of off_t in %s", path);
-               p->crc_offset = 8 + 4 * 256 + nr * hashsz;
+               p->crc_offset = st_add(8 + 4 * 256, st_mult(nr, hashsz));
        }
 
        p->index_version = version;