CVE-2021-33929

An attacker supplies a crafted testcase file that triggers a heap-buffer-overflow when processed by the `testsolv` tool [ref_id=1]. The macro `MAPTST(pool->considered, id)` computes `pool->considered->map[id>>3]`; if `id` is large enough that `id>>3` exceeds `pool->considered->size`, a read past the allocated heap buffer occurs [ref_id=1]. This can lead to a denial of service (crash) as demonstrated by the AddressSanitizer output [ref_id=1].

The heap-buffer-overflow occurs in `pool_disabled_solvable`, `pool_installable`, and `pool_installable_whatprovides` in `src/repo.h` at lines 96, 120, and 138 respectively [ref_id=1]. All three functions use the same vulnerable `MAPTST(pool->considered, id)` macro without checking that the computed index `id>>3` is within the bounds of the `pool->considered->map` array [ref_id=1].

The advisory does not include a patch diff, but the fix (introduced in libsolv before 0.7.17) must add a bounds check before the `MAPTST` macro access to ensure `id>>3 < pool->considered->size` [ref_id=1]. Without this check, any caller that passes an out-of-range `id` can read memory beyond the allocated `map` buffer, causing undefined behavior and a crash [ref_id=1].