You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@subversion.apache.org by st...@apache.org on 2014/01/21 02:08:16 UTC

svn commit: r1559870 - /subversion/trunk/subversion/libsvn_fs_fs/index.c

Author: stefan2
Date: Tue Jan 21 01:08:16 2014
New Revision: 1559870

URL: http://svn.apache.org/r1559870
Log:
Prevent out-of-bound array access when the FSFS f7 index information
got corrupted.

* subversion/libsvn_fs_fs/index.c
  (get_l2p_header_body): Verify that the index file actually provided
                         data for the requested revision.

Modified:
    subversion/trunk/subversion/libsvn_fs_fs/index.c

Modified: subversion/trunk/subversion/libsvn_fs_fs/index.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_fs_fs/index.c?rev=1559870&r1=1559869&r2=1559870&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_fs_fs/index.c (original)
+++ subversion/trunk/subversion/libsvn_fs_fs/index.c Tue Jan 21 01:08:16 2014
@@ -788,6 +788,13 @@ get_l2p_header_body(l2p_header_t **heade
   SVN_ERR(packed_stream_get(&value, rev_file->l2p_stream));
   page_count = (apr_size_t)value;
 
+  if (result->first_revision > revision
+      || result->first_revision + result->revision_count <= revision)
+    return svn_error_createf(SVN_ERR_FS_ITEM_INDEX_CORRUPTION, NULL,
+                      _("Corrupt L2P index for r%ld only covers r%ld:%ld"),
+                      revision, result->first_revision,
+                      result->first_revision + result->revision_count);
+
   /* allocate the page tables */
   result->page_table
     = apr_pcalloc(pool, page_count * sizeof(*result->page_table));