From: Stefan Sperling <stsp@stsp.name>
Subject: Re: add bound check in read_packed_object
To: Omar Polo <op@omarpolo.com>
Cc: gameoftrees@openbsd.org
Date: Mon, 24 Oct 2022 22:17:44 +0200

On Mon, Oct 24, 2022 at 09:38:54PM +0200, Omar Polo wrote:
> there's a similar check delta references

ok 

> diff 0a8a9c8f2be324315ed3529bb48871c3bd0505b4 933f287a77cf1c9dced8ed3afbf3850f5c0c1bb3
> commit - 0a8a9c8f2be324315ed3529bb48871c3bd0505b4
> commit + 933f287a77cf1c9dced8ed3afbf3850f5c0c1bb3
> blob - b1c742e556836c8ebe34fdc0737b73b17fa2a931
> blob + 07b401c3fd8743bb46cd007e16800e79aaa387dc
> --- lib/pack_index.c
> +++ lib/pack_index.c
> @@ -314,6 +314,12 @@ read_packed_object(struct got_pack *pack, struct got_i
>  			break;
>  
>  		if (pack->map) {
> +			if (mapoff + obj->delta.ofs.base_offsetlen >=
> +			    pack->filesize) {
> +				err = got_error(GOT_ERR_BAD_PACKFILE);
> +				break;
> +			}
> +
>  			obj->crc = crc32(obj->crc, pack->map + mapoff,
>  			    obj->delta.ofs.base_offsetlen);
>  			SHA1Update(pack_sha1_ctx, pack->map + mapoff,
> 
>