You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by st...@apache.org on 2015/05/20 09:15:01 UTC

svn commit: r1680464 - in /subversion/trunk/subversion/libsvn_fs_fs: low_level.c low_level.h rev_file.c

Author: stefan2
Date: Wed May 20 07:15:01 2015
New Revision: 1680464

URL: http://svn.apache.org/r1680464
Log:
Put stricter bounds on the index offset values read by the FSFS format7
footer parser.

* subversion/libsvn_fs_fs/low_level.h
  (svn_fs_fs__parse_footer): Take the footer offset instead of the filesize.

* subversion/libsvn_fs_fs/low_level.c
  (svn_fs_fs__parse_footer): Indexes must begin before the footer and L2P
                             must preceed P2L.

* subversion/libsvn_fs_fs/rev_file.c
  (svn_fs_fs__auto_read_footer): Provide footer offset.

Modified:
    subversion/trunk/subversion/libsvn_fs_fs/low_level.c
    subversion/trunk/subversion/libsvn_fs_fs/low_level.h
    subversion/trunk/subversion/libsvn_fs_fs/rev_file.c

Modified: subversion/trunk/subversion/libsvn_fs_fs/low_level.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_fs_fs/low_level.c?rev=1680464&r1=1680463&r2=1680464&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_fs_fs/low_level.c (original)
+++ subversion/trunk/subversion/libsvn_fs_fs/low_level.c Wed May 20 07:15:01 2015
@@ -196,7 +196,7 @@ svn_fs_fs__parse_footer(apr_off_t *l2p_o
                         svn_checksum_t **p2l_checksum,
                         svn_stringbuf_t *footer,
                         svn_revnum_t rev,
-                        svn_filesize_t filesize,
+                        apr_off_t footer_offset,
                         apr_pool_t *result_pool)
 {
   apr_int64_t val;
@@ -208,7 +208,7 @@ svn_fs_fs__parse_footer(apr_off_t *l2p_o
     return svn_error_create(SVN_ERR_FS_CORRUPT, NULL,
                             _("Invalid revision footer"));
 
-  SVN_ERR_W(svn_cstring_strtoi64(&val, str, 0, filesize - 1, 10),
+  SVN_ERR_W(svn_cstring_strtoi64(&val, str, 0, footer_offset - 1, 10),
             "Invalid L2P offset in revision footer");
   *l2p_offset = (apr_off_t)val;
 
@@ -227,10 +227,22 @@ svn_fs_fs__parse_footer(apr_off_t *l2p_o
     return svn_error_create(SVN_ERR_FS_CORRUPT, NULL,
                             _("Invalid revision footer"));
 
-  SVN_ERR_W(svn_cstring_strtoi64(&val, str, 0, filesize - 1, 10),
+  SVN_ERR_W(svn_cstring_strtoi64(&val, str, 0, footer_offset - 1, 10),
             "Invalid P2L offset in revision footer");
   *p2l_offset = (apr_off_t)val;
 
+  /* The P2L indes follows the L2P index */
+  if (*p2l_offset <= *l2p_offset)
+    return svn_error_createf(SVN_ERR_FS_CORRUPT, NULL,
+                             "P2L offset %s must be larger than L2P offset %s"
+                             " in revision footer",
+                             apr_psprintf(result_pool,
+                                          "%" APR_UINT64_T_HEX_FMT,
+                                          (apr_uint64_t)*p2l_offset),
+                             apr_psprintf(result_pool,
+                                          "%" APR_UINT64_T_HEX_FMT,
+                                          (apr_uint64_t)*l2p_offset));
+
   /* Get the P2L checksum. */
   str = svn_cstring_tokenize(" ", &last_str);
   if (str == NULL)

Modified: subversion/trunk/subversion/libsvn_fs_fs/low_level.h
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_fs_fs/low_level.h?rev=1680464&r1=1680463&r2=1680464&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_fs_fs/low_level.h (original)
+++ subversion/trunk/subversion/libsvn_fs_fs/low_level.h Wed May 20 07:15:01 2015
@@ -67,7 +67,7 @@ svn_fs_fs__unparse_revision_trailer(apr_
  * *P2L_OFFSET, respectively.  Also, return the expected checksums in
  * in *L2P_CHECKSUM and *P2L_CHECKSUM.
  *
- * FILESIZE is used for validation.
+ * FOOTER_OFFSET is used for validation.
  *
  * Note that REV is only used to construct nicer error objects that
  * mention this revision.  Allocate the checksums in RESULT_POOL.
@@ -79,7 +79,7 @@ svn_fs_fs__parse_footer(apr_off_t *l2p_o
                         svn_checksum_t **p2l_checksum,
                         svn_stringbuf_t *footer,
                         svn_revnum_t rev,
-                        svn_filesize_t filesize,
+                        apr_off_t footer_offset,
                         apr_pool_t *result_pool);
 
 /* Given the offset of the L2P index data in L2P_OFFSET, the content

Modified: subversion/trunk/subversion/libsvn_fs_fs/rev_file.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_fs_fs/rev_file.c?rev=1680464&r1=1680463&r2=1680464&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_fs_fs/rev_file.c (original)
+++ subversion/trunk/subversion/libsvn_fs_fs/rev_file.c Wed May 20 07:15:01 2015
@@ -259,7 +259,7 @@ svn_fs_fs__auto_read_footer(svn_fs_fs__r
       SVN_ERR(svn_fs_fs__parse_footer(&file->l2p_offset, &file->l2p_checksum,
                                       &file->p2l_offset, &file->p2l_checksum,
                                       footer, file->start_revision,
-                                      filesize,
+                                      filesize - footer_length - 1,
                                       file->pool));
       file->footer_offset = filesize - footer_length - 1;
     }