Introduce a "max_off" field in struct sliding_view, roughly
representing a maximum number of bytes that can be read from "file".
If it is set to a nonnegative integer, a call to move_window()
attempting to put the right endpoint beyond that offset will return
an error instead.
The idea is to use this when applying Subversion-format deltas to
prevent reads past the end of the preimage (which has known length).
Without such a check, corrupt deltas would cause svn-fe to block
indefinitely when data in the input pipe is exhausted.
Inspired-by: Ramkumar Ramachandra <artagnon@gmail.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
{
struct line_buffer preimage = LINE_BUFFER_INIT;
struct line_buffer delta = LINE_BUFFER_INIT;
- struct sliding_view preimage_view = SLIDING_VIEW_INIT(&preimage);
+ struct sliding_view preimage_view = SLIDING_VIEW_INIT(&preimage, -1);
if (argc != 5)
usage(test_svnfe_usage);
return -1;
if (off < view->off || off + width < view->off + view->width)
return error("invalid delta: window slides left");
+ if (view->max_off >= 0 && view->max_off < off + width)
+ return error("delta preimage ends early");
file_offset = view->off + view->buf.len;
if (off < file_offset) {
struct line_buffer *file;
off_t off;
size_t width;
+ off_t max_off; /* -1 means unlimited */
struct strbuf buf;
};
-#define SLIDING_VIEW_INIT(input) { (input), 0, 0, STRBUF_INIT }
+#define SLIDING_VIEW_INIT(input, len) { (input), 0, 0, (len), STRBUF_INIT }
extern int move_window(struct sliding_view *view, off_t off, size_t width);
projects / git.git / commitdiff