Commit 3976db154b362a2b110c8dba0c44d1845f9a6e90
2022-01-10T14:46:30
add missing checks for reads beyond the mapped memory area of a pack file
diff --git a/lib/pack.c b/lib/pack.c
index a030611..4a1a3b5 100644
--- a/lib/pack.c
+++ b/lib/pack.c
@@ -639,6 +639,8 @@ got_pack_parse_object_type_and_size(uint8_t *type, uint64_t *size, size_t *len,
return got_error(GOT_ERR_NO_SPACE);
if (pack->map) {
+ if (mapoff + sizeof(sizeN) >= pack->filesize)
+ return got_error(GOT_ERR_BAD_PACKFILE);
sizeN = *(pack->map + mapoff);
mapoff += sizeof(sizeN);
} else {
@@ -703,9 +705,9 @@ parse_negative_offset(int64_t *offset, size_t *len, struct got_pack *pack,
if (pack->map) {
size_t mapoff;
- if (delta_offset >= pack->filesize)
- return got_error(GOT_ERR_PACK_OFFSET);
mapoff = (size_t)delta_offset + *len;
+ if (mapoff + sizeof(offN) >= pack->filesize)
+ return got_error(GOT_ERR_PACK_OFFSET);
offN = *(pack->map + mapoff);
} else {
ssize_t n;
@@ -845,6 +847,8 @@ got_pack_parse_ref_delta(struct got_object_id *id,
{
if (pack->map) {
size_t mapoff = delta_offset + tslen;
+ if (mapoff + sizeof(*id) >= pack->filesize)
+ return got_error(GOT_ERR_PACK_OFFSET);
memcpy(id, pack->map + mapoff, sizeof(*id));
} else {
ssize_t n;