This series teaches Git to detect a few problems with corrupted .idx files, and adds tests for some more cases. There's conceptually some overlap with t5300, but I don't think it was covering any of these cases explicitly. There are two real bugs that could cause segfaults or bus errors via bogus reads (but never writes). On top of that, these are all problems in .idx files, which are usually generated locally. So I don't think there's anything particularly security interesting here. You'd need a situation where you convince somebody to read your .idx files (so maybe a multi-user server), and then I don't see how you'd turn it into remote code execution. I think with these patches, fuzzing .idx files should never result in any memory problems (though of course git will die()). Famous last words, of course. I stopped short of poking at other file formats, which might have similar issues. Obvious candidates are .bitmap files, and the on-disk $GIT_DIR/index. [1/3]: t5313: test bounds-checks of corrupted/malicious pack/idx files [2/3]: nth_packed_object_offset: bounds-check extended offset [3/3]: use_pack: handle signed off_t overflow -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html