From d3cfc1932e71994ec866f6bea67615c58878f952 Mon Sep 17 00:00:00 2001 From: Runxi Yu Date: Sat, 28 Mar 2026 16:13:55 +0000 Subject: object/store/packed: Expect length and verify Adler-32 --- object/store/loose/read_bytes.go | 6 ++++++ object/store/packed/entry_inflate.go | 9 +++++++++ object/store/packed/read_bytes.go | 8 ++++++++ 3 files changed, 23 insertions(+) diff --git a/object/store/loose/read_bytes.go b/object/store/loose/read_bytes.go index 0b6da81b..87a9f020 100644 --- a/object/store/loose/read_bytes.go +++ b/object/store/loose/read_bytes.go @@ -29,6 +29,9 @@ func (store *Store) readBytesParsed(id objectid.ObjectID) ([]byte, objecttype.Ty } // ReadBytesFull reads a full serialized object as "type size\0content". +// +// It inflates and parses the full loose object, including consuming the zlib +// stream through its Adler-32 trailer. func (store *Store) ReadBytesFull(id objectid.ObjectID) ([]byte, error) { raw, _, _, err := store.readBytesParsed(id) if err != nil { @@ -39,6 +42,9 @@ func (store *Store) ReadBytesFull(id objectid.ObjectID) ([]byte, error) { } // ReadBytesContent reads an object's type and content bytes. +// +// Like ReadBytesFull, it inflates and parses the full loose object, including +// consuming the zlib stream through its Adler-32 trailer. func (store *Store) ReadBytesContent(id objectid.ObjectID) (objecttype.Type, []byte, error) { _, ty, content, err := store.readBytesParsed(id) if err != nil { diff --git a/object/store/packed/entry_inflate.go b/object/store/packed/entry_inflate.go index 1c3943e9..f79d86c0 100644 --- a/object/store/packed/entry_inflate.go +++ b/object/store/packed/entry_inflate.go @@ -7,6 +7,7 @@ import ( "math" "codeberg.org/lindenii/furgit/internal/compress/zlib" + "codeberg.org/lindenii/furgit/internal/iolimit" ) // zlibReaderAt opens a zlib reader starting at data offset within pack. @@ -36,6 +37,7 @@ func inflateAt(pack *packFile, offset int, expectedSize int64) ([]byte, error) { ) } + reader := iolimit.ExpectLengthReader(reader, expectedSize) body := make([]byte, int(expectedSize)) _, err := io.ReadFull(reader, body) @@ -43,6 +45,13 @@ func inflateAt(pack *packFile, offset int, expectedSize int64) ([]byte, error) { return nil, err } + var probe [1]byte + + _, err = reader.Read(probe[:]) + if err != nil && err != io.EOF { + return nil, err + } + return body, nil } diff --git a/object/store/packed/read_bytes.go b/object/store/packed/read_bytes.go index 333cfaae..98ae6995 100644 --- a/object/store/packed/read_bytes.go +++ b/object/store/packed/read_bytes.go @@ -9,6 +9,10 @@ import ( ) // ReadBytesContent reads an object's type and content bytes. +// +// It fully resolves the requested object bytes. For base pack entries, this +// includes verifying that the zlib stream inflates to exactly the declared +// object size and reaches its Adler-32 trailer. func (store *Store) ReadBytesContent(id objectid.ObjectID) (objecttype.Type, []byte, error) { loc, err := store.lookup(id) if err != nil { @@ -19,6 +23,10 @@ func (store *Store) ReadBytesContent(id objectid.ObjectID) (objecttype.Type, []b } // ReadBytesFull reads a full serialized object as "type size\0content". +// +// Like ReadBytesContent, it fully resolves the requested object bytes. For +// base pack entries, this includes verifying that the zlib stream inflates to +// exactly the declared object size and reaches its Adler-32 trailer. func (store *Store) ReadBytesFull(id objectid.ObjectID) ([]byte, error) { ty, content, err := store.ReadBytesContent(id) if err != nil { -- cgit v1.3.1-10-gc9f91