Merge pull request #6796 from ConradIrwin/no-oob

Bounds check for pack index read
2026-01-25 02:56:17 +00:00 · 2024-04-23 08:12:04 +01:00
parent b739acaa50 06cafdf9d8
commit 85d42ea10e
1 changed files with 7 additions and 0 deletions
--- a/src/libgit2/pack.c
+++ b/src/libgit2/pack.c
@@ -1499,6 +1499,7 @@ static int pack_entry_find_offset(
 	size_t len)
 {
 	const uint32_t *level1_ofs;
+	size_t ofs_delta = 0;
 	const unsigned char *index;
 	unsigned hi, lo, stride;
 	int pos, found = 0;
@@ -1524,9 +1525,15 @@ static int pack_entry_find_offset(

 	if (p->index_version > 1) {
 		level1_ofs += 2;
+		ofs_delta = 2;
 		index += 8;
 	}

+	if ((size_t)short_oid->id[0] + ofs_delta >= p->index_map.len) {
+		git_error_set(GIT_ERROR_INTERNAL, "internal error: p->short_oid->[0] out of bounds");
+		goto cleanup;
+	}
+
 	index += 4 * 256;
 	hi = ntohl(level1_ofs[(int)short_oid->id[0]]);
 	lo = ((short_oid->id[0] == 0x0) ? 0 : ntohl(level1_ofs[(int)short_oid->id[0] - 1]));