commit 3976db154b362a2b110c8dba0c44d1845f9a6e90
from: Stefan Sperling <stsp@stsp.name>
date: Mon Jan 10 14:46:30 2022 UTC

add missing checks for reads beyond the mapped memory area of a pack file

commit - 402a5ec1f96e30e83525c0e1509f854a706d1066
commit + 3976db154b362a2b110c8dba0c44d1845f9a6e90
blob - a0306114c68e819c0550e81661abc0b5fc91994d
blob + 4a1a3b5a468f64d961a00092f1e31c7840fa0674
--- lib/pack.c
+++ lib/pack.c
@@ -639,6 +639,8 @@ got_pack_parse_object_type_and_size(uint8_t *type, uin
 			return got_error(GOT_ERR_NO_SPACE);
 
 		if (pack->map) {
+			if (mapoff + sizeof(sizeN) >= pack->filesize)
+				return got_error(GOT_ERR_BAD_PACKFILE);
 			sizeN = *(pack->map + mapoff);
 			mapoff += sizeof(sizeN);
 		} else {
@@ -703,9 +705,9 @@ parse_negative_offset(int64_t *offset, size_t *len, st
 
 		if (pack->map) {
 			size_t mapoff;
-			if (delta_offset >= pack->filesize)
-				return got_error(GOT_ERR_PACK_OFFSET);
 			mapoff = (size_t)delta_offset + *len;
+			if (mapoff + sizeof(offN) >= pack->filesize)
+				return got_error(GOT_ERR_PACK_OFFSET);
 			offN = *(pack->map + mapoff);
 		} else {
 			ssize_t n;
@@ -845,6 +847,8 @@ got_pack_parse_ref_delta(struct got_object_id *id,
 {
 	if (pack->map) {
 		size_t mapoff = delta_offset + tslen;
+		if (mapoff + sizeof(*id) >= pack->filesize)
+			return got_error(GOT_ERR_PACK_OFFSET);
 		memcpy(id, pack->map + mapoff, sizeof(*id));
 	} else {
 		ssize_t n;