Merge pull request from GHSA-4gj3-6r43-3wfc

Add size check on the bitfield before allocation

Author: Jorropo

data/builder/dirshard.go

@@ -133,23 +133,30 @@ func (s *shard) formatLinkName(name string, idx int) string {
 }
 
 // bitmap calculates the bitmap of which links in the shard are set.
-func (s *shard) bitmap() []byte {
-	bm := bitfield.NewBitfield(s.size)
+func (s *shard) bitmap() ([]byte, error) {
+	bm, err := bitfield.NewBitfield(s.size)
+	if err != nil {
+		return nil, err
+	}
 	for i := 0; i < s.size; i++ {
 		if _, ok := s.children[i]; ok {
 			bm.SetBit(i)
 		}
 	}
-	return bm.Bytes()
+	return bm.Bytes(), nil
 }
 
 // serialize stores the concrete representation of this shard in the link system and
 // returns a link to it.
 func (s *shard) serialize(ls *ipld.LinkSystem) (ipld.Link, uint64, error) {
+	bm, err := s.bitmap()
+	if err != nil {
+		return nil, 0, err
+	}
 	ufd, err := BuildUnixFS(func(b *Builder) {
 		DataType(b, data.Data_HAMTShard)
 		HashType(b, s.hasher)
-		Data(b, s.bitmap())
+		Data(b, bm)
 		Fanout(b, uint64(s.size))
 	})
 	if err != nil {

go.mod

@@ -3,68 +3,70 @@ module github.com/ipfs/go-unixfsnode
 go 1.19
 
 require (
-	github.com/ipfs/go-bitfield v1.0.0
-	github.com/ipfs/go-cid v0.2.0
+	github.com/ipfs/go-bitfield v1.1.0
+	github.com/ipfs/go-cid v0.3.2
 	github.com/ipfs/go-ipfs-chunker v0.0.1
 	github.com/ipfs/go-ipfs-util v0.0.2
 	github.com/ipfs/go-ipld-format v0.2.0
 	github.com/ipfs/go-merkledag v0.5.1
-	github.com/ipfs/go-unixfs v0.3.1
+	github.com/ipfs/go-unixfs v0.4.3
 	github.com/ipld/go-car/v2 v2.1.1
 	github.com/ipld/go-codec-dagpb v1.4.1
 	github.com/ipld/go-ipld-prime v0.16.0
-	github.com/multiformats/go-multicodec v0.4.1
-	github.com/multiformats/go-multihash v0.1.0
+	github.com/multiformats/go-multicodec v0.7.0
+	github.com/multiformats/go-multihash v0.2.1
 	github.com/spaolacci/murmur3 v1.1.0
-	github.com/stretchr/testify v1.7.0
-	google.golang.org/protobuf v1.28.0
+	github.com/stretchr/testify v1.8.1
+	google.golang.org/protobuf v1.28.1
 )
 
 require (
+	github.com/benbjohnson/clock v1.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/google/uuid v1.2.0 // indirect
+	github.com/google/uuid v1.3.0 // indirect
 	github.com/hashicorp/golang-lru v0.5.4 // indirect
 	github.com/ipfs/bbloom v0.0.4 // indirect
 	github.com/ipfs/go-block-format v0.0.3 // indirect
 	github.com/ipfs/go-blockservice v0.2.1 // indirect
-	github.com/ipfs/go-datastore v0.5.0 // indirect
+	github.com/ipfs/go-datastore v0.6.0 // indirect
 	github.com/ipfs/go-ipfs-blockstore v1.1.2 // indirect
 	github.com/ipfs/go-ipfs-ds-help v1.1.0 // indirect
 	github.com/ipfs/go-ipfs-exchange-interface v0.1.0 // indirect
 	github.com/ipfs/go-ipfs-exchange-offline v0.1.1 // indirect
 	github.com/ipfs/go-ipld-cbor v0.0.5 // indirect
 	github.com/ipfs/go-ipld-legacy v0.1.0 // indirect
 	github.com/ipfs/go-log v1.0.5 // indirect
-	github.com/ipfs/go-log/v2 v2.3.0 // indirect
+	github.com/ipfs/go-log/v2 v2.5.1 // indirect
 	github.com/ipfs/go-metrics-interface v0.0.1 // indirect
 	github.com/ipfs/go-verifcid v0.0.1 // indirect
 	github.com/jbenet/goprocess v0.1.4 // indirect
-	github.com/klauspost/cpuid/v2 v2.0.12 // indirect
-	github.com/libp2p/go-buffer-pool v0.0.2 // indirect
-	github.com/mattn/go-isatty v0.0.13 // indirect
-	github.com/minio/blake2b-simd v0.0.0-20160723061019-3f5f724cb5b1 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.1 // indirect
+	github.com/libp2p/go-buffer-pool v0.1.0 // indirect
+	github.com/libp2p/go-libp2p v0.25.0 // indirect
+	github.com/mattn/go-isatty v0.0.16 // indirect
 	github.com/minio/sha256-simd v1.0.0 // indirect
 	github.com/mr-tron/base58 v1.2.0 // indirect
-	github.com/multiformats/go-base32 v0.0.4 // indirect
-	github.com/multiformats/go-base36 v0.1.0 // indirect
-	github.com/multiformats/go-multibase v0.0.3 // indirect
-	github.com/multiformats/go-varint v0.0.6 // indirect
+	github.com/multiformats/go-base32 v0.1.0 // indirect
+	github.com/multiformats/go-base36 v0.2.0 // indirect
+	github.com/multiformats/go-multiaddr v0.8.0 // indirect
+	github.com/multiformats/go-multibase v0.1.1 // indirect
+	github.com/multiformats/go-varint v0.0.7 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/petar/GoLLRB v0.0.0-20210522233825-ae3b015fd3e9 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/polydawn/refmt v0.0.0-20201211092308-30ac6d18308e // indirect
 	github.com/whyrusleeping/cbor v0.0.0-20171005072247-63513f603b11 // indirect
 	github.com/whyrusleeping/cbor-gen v0.0.0-20200123233031-1cdf64d27158 // indirect
 	github.com/whyrusleeping/chunker v0.0.0-20181014151217-fe64bd25879f // indirect
-	go.uber.org/atomic v1.7.0 // indirect
-	go.uber.org/multierr v1.7.0 // indirect
-	go.uber.org/zap v1.16.0 // indirect
-	golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f // indirect
-	golang.org/x/exp v0.0.0-20210615023648-acb5c1269671 // indirect
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
-	golang.org/x/sys v0.0.0-20220429233432-b5fbb4746d32 // indirect
+	go.uber.org/atomic v1.10.0 // indirect
+	go.uber.org/multierr v1.8.0 // indirect
+	go.uber.org/zap v1.24.0 // indirect
+	golang.org/x/crypto v0.4.0 // indirect
+	golang.org/x/exp v0.0.0-20221205204356-47842c84f3db // indirect
+	golang.org/x/sync v0.1.0 // indirect
+	golang.org/x/sys v0.3.0 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.1.7 // indirect
 )