Merge pull request #6796 from ConradIrwin/no-oob

Bounds check for pack index read
libgit2 · Apr 23, 2024 · 85d42ea · 85d42ea
2 parents b739aca + 06cafdf
commit 85d42ea
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/src/libgit2/pack.c b/src/libgit2/pack.c
@@ -1499,6 +1499,7 @@ static int pack_entry_find_offset(
 	size_t len)
 {
 	const uint32_t *level1_ofs;
+	size_t ofs_delta = 0;
 	const unsigned char *index;
 	unsigned hi, lo, stride;
 	int pos, found = 0;
@@ -1524,9 +1525,15 @@ static int pack_entry_find_offset(
 
 	if (p->index_version > 1) {
 		level1_ofs += 2;
+		ofs_delta = 2;
 		index += 8;
 	}
 
+	if ((size_t)short_oid->id[0] + ofs_delta >= p->index_map.len) {
+		git_error_set(GIT_ERROR_INTERNAL, "internal error: p->short_oid->[0] out of bounds");
+		goto cleanup;
+	}
+
 	index += 4 * 256;
 	hi = ntohl(level1_ofs[(int)short_oid->id[0]]);
 	lo = ((short_oid->id[0] == 0x0) ? 0 : ntohl(level1_ofs[(int)short_oid->id[0] - 1]));