commit 0872c0b07dcdec507db636c063c1b96bf9cee9e1
from: Stefan Sperling <stsp@stsp.name>
date: Wed Mar 18 16:11:30 2020 UTC

more reasonable minimum length check in check_pack_hash()

commit - eac2c4cda61825a5f030a46aa42cbbbc34294a02
commit + 0872c0b07dcdec507db636c063c1b96bf9cee9e1
blob - f274d7e931e5a3e179d311f5a26d0d901a9a77d7
blob + 0847deffe61980e378edf688aa440563d4f0c67f
--- libexec/got-fetch-pack/got-fetch-pack.c
+++ libexec/got-fetch-pack/got-fetch-pack.c
@@ -45,6 +45,7 @@
 #include "got_lib_object.h"
 #include "got_lib_object_parse.h"
 #include "got_lib_privsep.h"
+#include "got_lib_pack.h"
 
 #ifndef nitems
 #define nitems(_a)	(sizeof((_a)) / sizeof((_a)[0]))
@@ -165,7 +166,7 @@ check_pack_hash(int fd, size_t sz, uint8_t *hcomp)
 	uint8_t buf[32*1024];
 	ssize_t n, r, nr;
 
-	if (sz < 28)
+	if (sz < sizeof(struct got_packfile_hdr) + SHA1_DIGEST_LENGTH)
 		return got_error(GOT_ERR_BAD_PACKFILE);
 
 	n = 0;