diff options
| author | Phillip Wood <phillip.wood@dunelm.org.uk> | 2025-05-22 16:55:20 +0100 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2025-05-22 14:48:36 -0700 |
| commit | b103881d4f4b157d86813ba5f91acd7ed6c888d0 (patch) | |
| tree | 3e4114cdfa25c18e0e3591100889bc414745bdce | |
| parent | 8613c2bb6cd16ef530dc5dd74d3b818a1ccbf1c0 (diff) | |
| download | git-b103881d4f4b157d86813ba5f91acd7ed6c888d0.tar.gz | |
midx repack: avoid integer overflow on 32 bit systems
On a 32 bit system "git multi-pack-index --repack --batch-size=120M"
failed with
fatal: size_t overflow: 6038786 * 1289
The calculation to estimated size of the objects in the pack referenced
by the multi-pack-index uses st_mult() to multiply the pack size by the
number of referenced objects before dividing by the total number of
objects in the pack. As size_t is 32 bits on 32 bit systems this
calculation easily overflows. Fix this by using 64bit arithmetic instead.
Also fix a potential overflow when caluculating the total size of the
objects referenced by the multipack index with a batch size larger
than SIZE_MAX / 2. In that case
total_size += estimated_size
can overflow as both total_size and estimated_size can be greater that
SIZE_MAX / 2. This is addressed by using saturating arithmetic for the
addition. Although estimated_size is of type uint64_t by the time we
reach this sum it is bounded by the batch size which is of type size_t
and so casting estimated_size to size_t does not truncate the value.
Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
| -rw-r--r-- | git-compat-util.h | 16 | ||||
| -rw-r--r-- | midx-write.c | 12 |
2 files changed, 24 insertions, 4 deletions
diff --git a/git-compat-util.h b/git-compat-util.h index 36b9577c8d..4678e21c4c 100644 --- a/git-compat-util.h +++ b/git-compat-util.h @@ -668,6 +668,22 @@ static inline int cast_size_t_to_int(size_t a) return (int)a; } +static inline uint64_t u64_mult(uint64_t a, uint64_t b) +{ + if (unsigned_mult_overflows(a, b)) + die("uint64_t overflow: %"PRIuMAX" * %"PRIuMAX, + (uintmax_t)a, (uintmax_t)b); + return a * b; +} + +static inline uint64_t u64_add(uint64_t a, uint64_t b) +{ + if (unsigned_add_overflows(a, b)) + die("uint64_t overflow: %"PRIuMAX" + %"PRIuMAX, + (uintmax_t)a, (uintmax_t)b); + return a + b; +} + /* * Limit size of IO chunks, because huge chunks only cause pain. OS X * 64-bit is buggy, returning EINVAL if len >= INT_MAX; and even in diff --git a/midx-write.c b/midx-write.c index dd3b3070e5..105014a279 100644 --- a/midx-write.c +++ b/midx-write.c @@ -1699,19 +1699,23 @@ static void fill_included_packs_batch(struct repository *r, for (i = 0; total_size < batch_size && i < m->num_packs; i++) { int pack_int_id = pack_info[i].pack_int_id; struct packed_git *p = m->packs[pack_int_id]; - size_t expected_size; + uint64_t expected_size; if (!want_included_pack(r, m, pack_kept_objects, pack_int_id)) continue; - expected_size = st_mult(p->pack_size, - pack_info[i].referenced_objects); + expected_size = uint64_mult(p->pack_size, + pack_info[i].referenced_objects); expected_size /= p->num_objects; if (expected_size >= batch_size) continue; - total_size += expected_size; + if (unsigned_add_overflows(total_size, (size_t)expected_size)) + total_size = SIZE_MAX; + else + total_size += expected_size; + include_pack[pack_int_id] = 1; } |