Jeff King <peff@xxxxxxxx> writes: > On Thu, Jan 07, 2016 at 02:54:50PM -0800, Junio C Hamano wrote: > >> We do not check if the offset of individual objects are within the >> corresponding .pack file, either, and nth_packed_object_offset() >> does return the data read from .idx file that is not checked for >> sanity. use_pack(), which is the helper used by the callers of >> nth_packed_object_offset() that finds the offset in the packfile for >> each object, avoids allowing a read access to mapped pack data >> beyond the end of it, so it is OK to return bogus value that was >> read from the .idx file from this function, but there is one >> computation the function itself does using a possibly bogus value >> read from the disk: to find out where in the secondary offset table >> in the .idx file the offset in the packfile is stored. > > Looks like this topic got dropped. I was reminded of it when somebody > pointed me to a similar case[1] today which segfaults in a similar way (but > this time was caused by actual filesystem corruption). > > Did you ever push the patch below further along? I do not think so, as I didn't "dig"; I recall trying to be explicit that it was an illustration to prevent two extra and unnecessary changes I alluded to in the earlier parts of the thread, not a real patch. > I confirmed that your patch detects and complains on this newer case. > Though I think there is another similar problem in > read_v2_anomalous_offsets (I haven't dug, but it triggers for me in > "index-pack --verify"). > > -Peff > > [1] https://github.com/libgit2/libgit2/issues/3556 -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html