commit 1944573a096bbe0d2b80dd1644f01383b9353af5
from: Stefan Sperling <stsp@stsp.name>
via: Thomas Adam <thomas@xteddy.org>
date: Mon Jan 10 21:58:18 2022 UTC

add missing checks for reads beyond the mapped memory area of a pack file

commit - 510885f759bdcb9febc6710d120af30902c7173c
commit + 1944573a096bbe0d2b80dd1644f01383b9353af5
blob - 6ec34f370067855ed6e758430e10de7930e72729
blob + 42db173ef1b6dbec1e36f988932ceaaf62802922
--- lib/pack.c
+++ lib/pack.c
@@ -635,6 +635,8 @@ got_pack_parse_object_type_and_size(uint8_t *type, uin
 			return got_error(GOT_ERR_NO_SPACE);
 
 		if (pack->map) {
+			if (mapoff + sizeof(sizeN) >= pack->filesize)
+				return got_error(GOT_ERR_BAD_PACKFILE);
 			sizeN = *(pack->map + mapoff);
 			mapoff += sizeof(sizeN);
 		} else {
@@ -699,9 +701,9 @@ parse_negative_offset(int64_t *offset, size_t *len, st
 
 		if (pack->map) {
 			size_t mapoff;
-			if (delta_offset >= pack->filesize)
-				return got_error(GOT_ERR_PACK_OFFSET);
 			mapoff = (size_t)delta_offset + *len;
+			if (mapoff + sizeof(offN) >= pack->filesize)
+				return got_error(GOT_ERR_PACK_OFFSET);
 			offN = *(pack->map + mapoff);
 		} else {
 			ssize_t n;
@@ -841,6 +843,8 @@ got_pack_parse_ref_delta(struct got_object_id *id,
 {
 	if (pack->map) {
 		size_t mapoff = delta_offset + tslen;
+		if (mapoff + sizeof(*id) >= pack->filesize)
+			return got_error(GOT_ERR_PACK_OFFSET);
 		memcpy(id, pack->map + mapoff, sizeof(*id));
 	} else {
 		ssize_t n;