From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS31976 209.132.180.0/23 X-Spam-Status: No, score=-3.9 required=3.0 tests=AWL,BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by dcvr.yhbt.net (Postfix) with ESMTP id AFE0F1F61A for ; Fri, 28 Feb 2020 18:55:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725827AbgB1Sz1 (ORCPT ); Fri, 28 Feb 2020 13:55:27 -0500 Received: from cloud.peff.net ([104.130.231.41]:57386 "HELO cloud.peff.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1725730AbgB1Sz0 (ORCPT ); Fri, 28 Feb 2020 13:55:26 -0500 Received: (qmail 4682 invoked by uid 109); 28 Feb 2020 18:55:26 -0000 Received: from Unknown (HELO peff.net) (10.0.1.2) by cloud.peff.net (qpsmtpd/0.94) with SMTP; Fri, 28 Feb 2020 18:55:26 +0000 Authentication-Results: cloud.peff.net; auth=none Received: (qmail 18503 invoked by uid 111); 28 Feb 2020 19:04:35 -0000 Received: from coredump.intra.peff.net (HELO sigill.intra.peff.net) (10.0.0.2) by peff.net (qpsmtpd/0.94) with (TLS_AES_256_GCM_SHA384 encrypted) ESMTPS; Fri, 28 Feb 2020 14:04:35 -0500 Authentication-Results: peff.net; auth=none Date: Fri, 28 Feb 2020 13:55:25 -0500 From: Jeff King To: Damien Robert Cc: git@vger.kernel.org, Damien Robert , Junio C Hamano , Derrick Stolee , William Baker Subject: Re: [PATCH 1/1] midx.c: fix an integer overflow Message-ID: <20200228185525.GB1408759@coredump.intra.peff.net> References: <20200228162450.1720795-1-damien.olivier.robert+git@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20200228162450.1720795-1-damien.olivier.robert+git@gmail.com> Sender: git-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org On Fri, Feb 28, 2020 at 05:24:49PM +0100, Damien Robert wrote: > When verifying a midx index with 0 objects, the > m->num_objects - 1 > overflows to 4294967295. > > Fix this. Makes sense. Such a midx shouldn't be generated in the first place, but we should handle it robustly if we do see one. > diff --git a/midx.c b/midx.c > index 37ec28623a..6ffe013089 100644 > --- a/midx.c > +++ b/midx.c > @@ -1127,7 +1127,7 @@ int verify_midx_file(struct repository *r, const char *object_dir, unsigned flag > if (flags & MIDX_PROGRESS) > progress = start_sparse_progress(_("Verifying OID order in multi-pack-index"), > m->num_objects - 1); > - for (i = 0; i < m->num_objects - 1; i++) { > + for (i = 0; i + 1 < m->num_objects; i++) { > struct object_id oid1, oid2; > > nth_midxed_object_oid(&oid1, m, i); [...] nth_midxed_object_oid(&oid2, m, i + 1); Perhaps it would be simpler as: for (i = 1; i < m->num_objects; i++) { ... nth_midxed_object_oid(&oid1, m, i - 1); nth_midxed_object_oid(&oid2, m, i); ... } Though I almost wonder if we should be catching "m->num_objects == 0" early and declaring the midx to be bogus (it's not _technically_ wrong, but I'd have to suspect a bug in anything that generated a 0-object midx file). -Peff