You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by st...@apache.org on 2014/09/08 14:30:25 UTC

svn commit: r1623373 - /subversion/trunk/subversion/libsvn_fs_fs/index.c

Author: stefan2
Date: Mon Sep  8 12:30:24 2014
New Revision: 1623373

URL: http://svn.apache.org/r1623373
Log:
Add entry type checking to the P2L index reader to early detect
further cases external corruption.

* subversion/libsvn_fs_fs/index.c
  (read_entry): Verify that P2L index entries follow type restrictions.

Modified:
    subversion/trunk/subversion/libsvn_fs_fs/index.c

Modified: subversion/trunk/subversion/libsvn_fs_fs/index.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_fs_fs/index.c?rev=1623373&r1=1623372&r2=1623373&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_fs_fs/index.c (original)
+++ subversion/trunk/subversion/libsvn_fs_fs/index.c Mon Sep  8 12:30:24 2014
@@ -2055,6 +2055,15 @@ read_entry(svn_fs_fs__packed_number_stre
   entry.type = (int)(*last_compound & 7);
   entry.item.number = *last_compound / 8;
 
+  /* Verify item type. */
+  if (entry.type > SVN_FS_FS__ITEM_TYPE_CHANGES)
+    return svn_error_create(SVN_ERR_FS_ITEM_INDEX_CORRUPTION, NULL,
+                            _("Invalid item type in P2L index"));
+  if (   entry.type == SVN_FS_FS__ITEM_TYPE_CHANGES
+      && entry.item.number != SVN_FS_FS__ITEM_INDEX_CHANGES)
+    return svn_error_create(SVN_ERR_FS_ITEM_INDEX_CORRUPTION, NULL,
+                            _("Changed path list must have item number 1"));
+
   SVN_ERR(packed_stream_get(&value, stream));
   *last_revision += (svn_revnum_t)decode_int(value);
   entry.item.revision = *last_revision;
@@ -2062,6 +2071,15 @@ read_entry(svn_fs_fs__packed_number_stre
   SVN_ERR(packed_stream_get(&value, stream));
   entry.fnv1_checksum = (apr_uint32_t)value;
 
+  /* Some of the index data for empty rev / pack file sections will not be
+   * used during normal operation.  Thus, we have strict rules for the
+   * contents of those unused fields. */
+  if (entry.type == SVN_FS_FS__ITEM_TYPE_UNUSED)
+    if (   entry.item.number != SVN_FS_FS__ITEM_INDEX_UNUSED
+        || entry.fnv1_checksum != 0)
+      return svn_error_create(SVN_ERR_FS_ITEM_INDEX_CORRUPTION, NULL,
+                 _("Empty regions must have item number 0 and checksum 0"));
+
   APR_ARRAY_PUSH(result, svn_fs_fs__p2l_entry_t) = entry;
   *item_offset += entry.size;