CVE-2021-33928

An attacker supplies a crafted testcase file to the `testsolv` tool. During parsing, the `testcase_read` function eventually calls `selection_make`, which invokes `solvable_matches_selection_flags` and then `pool_disabled_solvable` (or the other two functions) with an `id` value that produces an out-of-bounds index into `pool->considered->map`. This results in a heap-buffer-overflow read, causing a denial of service. The precondition is that the attacker can provide a malicious input file to the `testsolv` binary.

The heap-buffer overflow occurs in `src/repo.h` at lines 96, 120, and 138, inside the inline functions `pool_disabled_solvable`, `pool_installable`, and `pool_installable_whatprovides`. All three functions use the same vulnerable macro `MAPTST(pool->considered, id)` without checking that the computed index `id>>3` is within the bounds of the `pool->considered->map` array.

The advisory does not include a patch diff. The recommended fix is to add a bounds check before the `MAPTST(pool->considered, id)` macro invocation so that the index `id>>3` is verified to be less than `pool->considered->size`. Without such a check, any caller that passes an `id` derived from untrusted input can trigger an out-of-bounds read.