From: Junio C Hamano <gitster@pobox.com>
Date: Thu, 28 Sep 2017 05:47:56 +0000 (+0900)
Subject: Merge branch 'mk/diff-delta-avoid-large-offset'
X-Git-Tag: v2.15.0-rc0~39
X-Git-Url: https://git.lorimer.id.au/gitweb.git/diff_plain/fdbe2ac1983c1224ce40b465b22e44d7e22de6c4?hp=-c

Merge branch 'mk/diff-delta-avoid-large-offset'

The delta format used in the packfile cannot reference data at
offset larger than what can be expressed in 4-byte, but the
generator for the data failed to make sure the offset does not
overflow.  This has been corrected.

* mk/diff-delta-avoid-large-offset:
diff-delta: do not allow delta offset truncation
---

fdbe2ac1983c1224ce40b465b22e44d7e22de6c4
diff --combined diff-delta.c
index cd238c8ed8,ea710c44ce..e49643353b
--- a/diff-delta.c
+++ b/diff-delta.c
@@@ -319,9 -319,7 +319,9 @@@ create_delta(const struct delta_index *
  	     const void *trg_buf, unsigned long trg_size,
  	     unsigned long *delta_size, unsigned long max_size)
  {
 -	unsigned int i, outpos, outsize, moff, msize, val;
 +	unsigned int i, val;
 +	off_t outpos, moff;
 +	size_t l, outsize, msize;
  	int inscnt;
  	const unsigned char *ref_data, *ref_top, *data, *top;
  	unsigned char *out;
@@@ -338,20 -336,20 +338,20 @@@
  		return NULL;
  
  	/* store reference buffer size */
 -	i = index->src_size;
 -	while (i >= 0x80) {
 -		out[outpos++] = i | 0x80;
 -		i >>= 7;
 +	l = index->src_size;
 +	while (l >= 0x80) {
 +		out[outpos++] = l | 0x80;
 +		l >>= 7;
  	}
 -	out[outpos++] = i;
 +	out[outpos++] = l;
  
  	/* store target buffer size */
 -	i = trg_size;
 -	while (i >= 0x80) {
 -		out[outpos++] = i | 0x80;
 -		i >>= 7;
 +	l = trg_size;
 +	while (l >= 0x80) {
 +		out[outpos++] = l | 0x80;
 +		l >>= 7;
  	}
 -	out[outpos++] = i;
 +	out[outpos++] = l;
  
  	ref_data = index->src_buf;
  	ref_top = ref_data + index->src_size;
@@@ -454,6 -452,9 +454,9 @@@
  			moff += msize;
  			msize = left;
  
+ 			if (moff > 0xffffffff)
+ 				msize = 0;
+ 
  			if (msize < 4096) {
  				int j;
  				val = 0;