Andrew's git / gitweb.git / diff
?
Merge branch 'mk/diff-delta-avoid-large-offset'
authorJunio C Hamano <gitster@pobox.com>
Thu, 28 Sep 2017 05:47:56 +0000 (14:47 +0900)
committerJunio C Hamano <gitster@pobox.com>
Thu, 28 Sep 2017 05:47:56 +0000 (14:47 +0900)
The delta format used in the packfile cannot reference data at
offset larger than what can be expressed in 4-byte, but the
generator for the data failed to make sure the offset does not
overflow. This has been corrected.

* mk/diff-delta-avoid-large-offset:
diff-delta: do not allow delta offset truncation

1  2 
diff-delta.c patch | diff1 | diff2 | blob | history
diff --combined diff-delta.c
index cd238c8ed8fbbd61984b72d1d8018e7ab2a9d29e,ea710c44ce6b215176e05f70573ad52a74d6f51e..e49643353bf56807b3d4ac4011784b5d8dd6f7a4
--- 1/diff-delta.c
--- 2/diff-delta.c
+++ b/diff-delta.c
@@@ -319,9 -319,7 +319,9 @@@ create_delta(const struct delta_index *
             const void *trg_buf, unsigned long trg_size,
             unsigned long *delta_size, unsigned long max_size)
  {
 -      unsigned int i, outpos, outsize, moff, msize, val;
 +      unsigned int i, val;
 +      off_t outpos, moff;
 +      size_t l, outsize, msize;
        int inscnt;
        const unsigned char *ref_data, *ref_top, *data, *top;
        unsigned char *out;
@@@ -338,20 -336,20 +338,20 @@@
                return NULL;
  
        /* store reference buffer size */
 -      i = index->src_size;
 -      while (i >= 0x80) {
 -              out[outpos++] = i | 0x80;
 -              i >>= 7;
 +      l = index->src_size;
 +      while (l >= 0x80) {
 +              out[outpos++] = l | 0x80;
 +              l >>= 7;
        }
 -      out[outpos++] = i;
 +      out[outpos++] = l;
  
        /* store target buffer size */
 -      i = trg_size;
 -      while (i >= 0x80) {
 -              out[outpos++] = i | 0x80;
 -              i >>= 7;
 +      l = trg_size;
 +      while (l >= 0x80) {
 +              out[outpos++] = l | 0x80;
 +              l >>= 7;
        }
 -      out[outpos++] = i;
 +      out[outpos++] = l;
  
        ref_data = index->src_buf;
        ref_top = ref_data + index->src_size;
@@@ -454,6 -452,9 +454,9 @@@
                        moff += msize;
                        msize = left;
  
+                       if (moff > 0xffffffff)
+                               msize = 0;
                        if (msize < 4096) {
                                int j;
                                val = 0;