From 9e8540770550f55ab9369f74e511f948226fcffd Mon Sep 17 00:00:00 2001
From: Roger Ng <rogerng@google.com>
Date: Wed, 13 May 2026 15:51:49 +0000
Subject: [PATCH 1/2] Prevent out-of-range slices in MigrationStorage

---
 storage/aws/aws.go     | 3 +++
 storage/gcp/gcp.go     | 3 +++
 storage/posix/files.go | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/storage/aws/aws.go b/storage/aws/aws.go
index 08f2ebac..2a36b7f4 100644
--- a/storage/aws/aws.go
+++ b/storage/aws/aws.go
@@ -629,6 +629,9 @@ func (m *MigrationStorage) fetchLeafHashes(ctx context.Context, from, to, source
 			if err != nil {
 				return fmt.Errorf("bundleHasherFunc for bundle index %d: %v", ri.Index, err)
 			}
+			if len(bh) < int(ri.First+ri.N) {
+				return fmt.Errorf("bundle index %d has fewer entries than expected (%d < %d)", ri.Index, len(bh), ri.First+ri.N)
+			}
 			toBeAdded.Store(ri.Index, bh[ri.First:ri.First+ri.N])
 			return nil
 		})
diff --git a/storage/gcp/gcp.go b/storage/gcp/gcp.go
index 7e74da7b..8486bf73 100644
--- a/storage/gcp/gcp.go
+++ b/storage/gcp/gcp.go
@@ -1535,6 +1535,9 @@ func (m *MigrationStorage) fetchLeafHashes(ctx context.Context, from, to, source
 			if err != nil {
 				return fmt.Errorf("bundleHasherFunc for bundle index %d: %v", ri.Index, err)
 			}
+			if len(bh) < int(ri.First+ri.N) {
+				return fmt.Errorf("bundle index %d has fewer entries than expected (%d < %d)", ri.Index, len(bh), ri.First+ri.N)
+			}
 			toBeAdded.Store(ri.Index, bh[ri.First:ri.First+ri.N])
 			return nil
 		})
diff --git a/storage/posix/files.go b/storage/posix/files.go
index e7117083..c1eb7ae1 100644
--- a/storage/posix/files.go
+++ b/storage/posix/files.go
@@ -1116,6 +1116,9 @@ func (m *MigrationStorage) fetchLeafHashes(ctx context.Context, from, to, source
 		if err != nil {
 			return nil, fmt.Errorf("bundleHasherFunc for bundle index %d: %v", ri.Index, err)
 		}
+		if len(bh) < int(ri.First+ri.N) {
+			return nil, fmt.Errorf("bundle index %d has fewer entries than expected (%d < %d)", ri.Index, len(bh), ri.First+ri.N)
+		}
 		lh = append(lh, bh[ri.First:ri.First+ri.N]...)
 		n++
 		if n >= maxBundles {

From 016040f5b58a65954edaea1c4075f8b105b270ac Mon Sep 17 00:00:00 2001
From: Roger Ng <rogerng@google.com>
Date: Thu, 14 May 2026 15:49:37 +0000
Subject: [PATCH 2/2] Address comment

---
 storage/aws/aws.go     | 4 ++--
 storage/gcp/gcp.go     | 4 ++--
 storage/posix/files.go | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/storage/aws/aws.go b/storage/aws/aws.go
index 2a36b7f4..6ad61ba8 100644
--- a/storage/aws/aws.go
+++ b/storage/aws/aws.go
@@ -629,8 +629,8 @@ func (m *MigrationStorage) fetchLeafHashes(ctx context.Context, from, to, source
 			if err != nil {
 				return fmt.Errorf("bundleHasherFunc for bundle index %d: %v", ri.Index, err)
 			}
-			if len(bh) < int(ri.First+ri.N) {
-				return fmt.Errorf("bundle index %d has fewer entries than expected (%d < %d)", ri.Index, len(bh), ri.First+ri.N)
+			if l := len(bh); l < int(ri.First+ri.N) {
+				return fmt.Errorf("bundle index %d has fewer entries than expected (%d < %d)", ri.Index, l, ri.First+ri.N)
 			}
 			toBeAdded.Store(ri.Index, bh[ri.First:ri.First+ri.N])
 			return nil
diff --git a/storage/gcp/gcp.go b/storage/gcp/gcp.go
index 8486bf73..3a97acd2 100644
--- a/storage/gcp/gcp.go
+++ b/storage/gcp/gcp.go
@@ -1535,8 +1535,8 @@ func (m *MigrationStorage) fetchLeafHashes(ctx context.Context, from, to, source
 			if err != nil {
 				return fmt.Errorf("bundleHasherFunc for bundle index %d: %v", ri.Index, err)
 			}
-			if len(bh) < int(ri.First+ri.N) {
-				return fmt.Errorf("bundle index %d has fewer entries than expected (%d < %d)", ri.Index, len(bh), ri.First+ri.N)
+			if l := len(bh); l < int(ri.First+ri.N) {
+				return fmt.Errorf("bundle index %d has fewer entries than expected (%d < %d)", ri.Index, l, ri.First+ri.N)
 			}
 			toBeAdded.Store(ri.Index, bh[ri.First:ri.First+ri.N])
 			return nil
diff --git a/storage/posix/files.go b/storage/posix/files.go
index c1eb7ae1..560c08c0 100644
--- a/storage/posix/files.go
+++ b/storage/posix/files.go
@@ -1116,8 +1116,8 @@ func (m *MigrationStorage) fetchLeafHashes(ctx context.Context, from, to, source
 		if err != nil {
 			return nil, fmt.Errorf("bundleHasherFunc for bundle index %d: %v", ri.Index, err)
 		}
-		if len(bh) < int(ri.First+ri.N) {
-			return nil, fmt.Errorf("bundle index %d has fewer entries than expected (%d < %d)", ri.Index, len(bh), ri.First+ri.N)
+		if l := len(bh); l < int(ri.First+ri.N) {
+			return nil, fmt.Errorf("bundle index %d has fewer entries than expected (%d < %d)", ri.Index, l, ri.First+ri.N)
 		}
 		lh = append(lh, bh[ri.First:ri.First+ri.N]...)
 		n++