path: root/pack-bitmap-write.c
diff options
authorTaylor Blau <>2020-12-08 22:04:26 (GMT)
committerJunio C Hamano <>2020-12-08 22:48:17 (GMT)
commitc6b0c3910c80a7b7a5c1da3b70d8054ade515692 (patch)
tree8ae186cb67fe006efe539040e3adff96a89b5c6c /pack-bitmap-write.c
parent928e3f42adc032ce7b7c1323408648d2b6713509 (diff)
pack-bitmap.c: check reads more aggressively when loading
Before 'load_bitmap_entries_v1()' reads an actual EWAH bitmap, it should check that it can safely do so by ensuring that there are at least 6 bytes available to be read (four for the commit's index position, and then two more for the xor offset and flags, respectively). Likewise, it should check that the commit index it read refers to a legitimate object in the pack. The first fix catches a truncation bug that was exposed when testing, and the second is purely precautionary. There are some possible future improvements, not pursued here. They are: - Computing the correct boundary of the bitmap itself in the caller and ensuring that we don't read past it. This may or may not be worth it, since in a truncation situation, all bets are off: (is the trailer still there and the bitmap entries malformed, or is the trailer truncated?). The best we can do is try to read what's there as if it's correct data (and protect ourselves when it's obviously bogus). - Avoid the magic "6" by teaching read_be32() and read_u8() (both of which are custom helpers for this function) to check sizes before advancing the pointers. - Adding more tests in this area. Testing these truncation situations are remarkably fragile to even subtle changes in the bitmap generation. So, the resulting tests are likely to be quite brittle. Signed-off-by: Jeff King <> Signed-off-by: Taylor Blau <> Signed-off-by: Junio C Hamano <>
Diffstat (limited to 'pack-bitmap-write.c')
0 files changed, 0 insertions, 0 deletions