Merge pull request #4721 from nelhage/max-objects

Add a configurable limit to the max pack size that will be indexed

Merge pull request #4721 from nelhage/max-objects
Add a configurable limit to the max pack size that will be indexed
42f83840 · Patrick Steinhardt · GitHub · 7d3930a1 · 32810348 · 42f83840
Unverified Commit 42f83840 authored Jul 26, 2018 by Patrick Steinhardt Committed by GitHub Jul 26, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 31 additions and 7 deletions

include/git2/common.h
+15 -1

src/indexer.c
+7 -5

src/settings.c
+9 -1

No files found.
--- a/include/git2/common.h
+++ b/include/git2/common.h
@@ -195,7 +195,9 @@ typedef enum {
 	GIT_OPT_SET_WINDOWS_SHAREMODE,
 	GIT_OPT_ENABLE_STRICT_HASH_VERIFICATION,
 	GIT_OPT_SET_ALLOCATOR,
-	GIT_OPT_ENABLE_UNSAVED_INDEX_SAFETY
+	GIT_OPT_ENABLE_UNSAVED_INDEX_SAFETY,
+	GIT_OPT_GET_PACK_MAX_OBJECTS,
+	GIT_OPT_SET_PACK_MAX_OBJECTS
 } git_libgit2_opt_t;
 /**
@@ -372,6 +374,18 @@ typedef enum {
 *		> fail.  (Using the FORCE flag to checkout will still overwrite
 *		> these changes.)
 *
+ *	 opts(GIT_OPT_GET_PACK_MAX_OBJECTS, size_t *out)
+ *
+ *		> Get the maximum number of objects libgit2 will allow in a pack
+ *		> file when downloading a pack file from a remote. This can be
+ *		> used to limit maximum memory usage when fetching from an untrusted
+ *		> remote.
+ *
+ *	 opts(GIT_OPT_SET_PACK_MAX_OBJECTS, size_t objects)
+ *
+ *		> Set the maximum number of objects libgit2 will allow in a pack
+ *		> file when downloading a pack file from a remote.
+ *
 * @param option Option key
 * @param ... value to set the option
 * @return 0 on success, <0 on failure

--- a/src/indexer.c
+++ b/src/indexer.c
@@ -22,6 +22,8 @@
 extern git_mutex git__mwindow_mutex;
+size_t git_indexer__max_objects = UINT32_MAX;
 #define UINT31_MAX (0x7FFFFFFF)
 struct entry {
@@ -557,12 +559,12 @@ int git_indexer_append(git_indexer *idx, const void *data, size_t size, git_tran
 		idx->nr_objects = ntohl(hdr->hdr_entries);
 		idx->off = sizeof(struct git_pack_header);
-		/* for now, limit to 2^32 objects */
+		if (idx->nr_objects <= git_indexer__max_objects) {
-		assert(idx->nr_objects == (size_t)((unsigned int)idx->nr_objects));
-		if (idx->nr_objects == (size_t)((unsigned int)idx->nr_objects))
 			total_objects = (unsigned int)idx->nr_objects;
-		else
+		} else {
-			total_objects = UINT_MAX;
+			giterr_set(GITERR_INDEXER, "too many objects");
+			return -1;
+		}
 		idx->pack->idx_cache = git_oidmap_alloc();
 		GITERR_CHECK_ALLOC(idx->pack->idx_cache);

--- a/src/settings.c
+++ b/src/settings.c
@@ -56,6 +56,7 @@ int git_libgit2_features(void)
 /* Declarations for tuneable settings */
 extern size_t git_mwindow__window_size;
 extern size_t git_mwindow__mapped_limit;
+extern size_t git_indexer__max_objects;
 static int config_level_to_sysdir(int config_level)
 {
@@ -270,6 +271,14 @@ int git_libgit2_opts(int key, ...)
 		git_index__enforce_unsaved_safety = (va_arg(ap, int) != 0);
 		break;
+	case GIT_OPT_SET_PACK_MAX_OBJECTS:
+		git_indexer__max_objects = va_arg(ap, size_t);
+		break;
+	case GIT_OPT_GET_PACK_MAX_OBJECTS:
+		*(va_arg(ap, size_t *)) = git_indexer__max_objects;
+		break;
 	default:
 		giterr_set(GITERR_INVALID, "invalid option key");
 		error = -1;
@@ -279,4 +288,3 @@ int git_libgit2_opts(int key, ...)
 	return error;
 }