On Thu, Jan 07, 2016 at 02:54:50PM -0800, Junio C Hamano wrote: > We do not check if the offset of individual objects are within the > corresponding .pack file, either, and nth_packed_object_offset() > does return the data read from .idx file that is not checked for > sanity. use_pack(), which is the helper used by the callers of > nth_packed_object_offset() that finds the offset in the packfile for > each object, avoids allowing a read access to mapped pack data > beyond the end of it, so it is OK to return bogus value that was > read from the .idx file from this function, but there is one > computation the function itself does using a possibly bogus value > read from the disk: to find out where in the secondary offset table > in the .idx file the offset in the packfile is stored. Looks like this topic got dropped. I was reminded of it when somebody pointed me to a similar case[1] today which segfaults in a similar way (but this time was caused by actual filesystem corruption). Did you ever push the patch below further along? I confirmed that your patch detects and complains on this newer case. Though I think there is another similar problem in read_v2_anomalous_offsets (I haven't dug, but it triggers for me in "index-pack --verify"). -Peff [1] https://github.com/libgit2/libgit2/issues/3556 -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html