On Tue, Jan 26, 2021 at 04:01:11PM +0000, Derrick Stolee via GitGitGadget wrote:
> +/*
> + * When writing a chunk-based file format, collect the chunks in
> + * an array of chunk_info structs. The size stores the _expected_
> + * amount of data that will be written by write_fn.
> + */
> +struct chunk_info {
> + uint32_t id;
> + uint64_t size;
Hmm. Would we not want an off_t to indicate the size here?
I wondered briefly if we even needed a size field at all, since calling
write_fn would tell us the number of bytes written. But I suppose you
want to know ahead of time so that you can write the file in one pass
(beginning with the table of contents, which certainly needs to know the
size).
> + /* Trailing entry marks the end of the chunks */
> + hashwrite_be32(cf->f, 0);
> + hashwrite_be64(cf->f, cur_offset);
> +
> + for (i = 0; i < cf->chunks_nr; i++) {
> + uint64_t start_offset = cf->f->total + cf->f->offset;
> + int result = cf->chunks[i].write_fn(cf->f, data);
> +
> + if (result)
> + return result;
> +
> + if (cf->f->total + cf->f->offset != start_offset + cf->chunks[i].size)
I don't think this is a practical concern, but a malicious caller could
overflow this by passing a bogus "size" parameter. Maybe:
uint64_t end_offset = ...;
if (end_offset - start_offset != cf->chunks[i].size)
BUG(...)
?
> diff --git a/chunk-format.h b/chunk-format.h
> new file mode 100644
> index 00000000000..bfaed672813
> --- /dev/null
> +++ b/chunk-format.h
> @@ -0,0 +1,20 @@
> +#ifndef CHUNK_FORMAT_H
> +#define CHUNK_FORMAT_H
> +
> +#include "git-compat-util.h"
> +
> +struct hashfile;
> +struct chunkfile;
> +
> +struct chunkfile *init_chunkfile(struct hashfile *f);
> +void free_chunkfile(struct chunkfile *cf);
> +int get_num_chunks(struct chunkfile *cf);
> +typedef int (*chunk_write_fn)(struct hashfile *f,
> + void *data);
> +void add_chunk(struct chunkfile *cf,
> + uint64_t id,
> + chunk_write_fn fn,
> + size_t size);
> +int write_chunkfile(struct chunkfile *cf, void *data);
Very clean API.
Thanks,
Taylor
