CVE-2021-33930

An attacker supplies a crafted testcase file to the `testsolv` tool. During parsing, the `testcase_read` function eventually calls `selection_make` → `selection_name_arch_rel` → `selection_name_arch` → `selection_name` → `solvable_matches_selection_flags`, which invokes `pool_disabled_solvable` with an `id` value that causes `id>>3` to exceed the `pool->considered->map` allocation size [ref_id=1]. The resulting out-of-bounds read triggers a heap-buffer-overflow, leading to a denial of service. No authentication or special privileges are required; the attacker only needs to supply the malicious input file.

The heap-buffer-overflow occurs in three inline functions in `src/repo.h`: `pool_disabled_solvable` (line 96), `pool_installable` (line 120), and `pool_installable_whatprovides` (line 138). All three share the same vulnerable statement `MAPTST(pool->considered, id)`, which reads `pool->considered->map[id>>3]` without checking that the index `id>>3` is within the allocated `size` of the `Map` structure [ref_id=1].

The advisory does not include a published patch diff, but the fix (introduced in libsolv 0.7.17) must add a bounds check before the `MAPTST` macro dereferences `pool->considered->map[id>>3]`. The `Map` structure stores its allocated size in the `size` field; the fix should verify that `(id >> 3) < pool->considered->size` before performing the bit test, preventing the out-of-bounds read. Without this check, any caller that passes an unvalidated solvable `id` can cause a heap-buffer-overflow.