color: protect against out-of-bounds reads and writes

want_color_fd() is designed to work only with standard output and error file descriptors and stores information about each descriptor in an array. However, it doesn't verify that the passed-in descriptor lives within that set, which, with a buggy caller, could lead to access or assignment outside the array bounds. Signed-off-by: Eric Sunshine <sunshine@sunshineco.com> Acked-by: Johannes Schindelin <Johannes.Schindelin@gmx.de> Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
author: Eric Sunshine <sunshine@sunshineco.com> 2018-08-03 06:07:49 (GMT)
committer: Junio C Hamano <gitster@pobox.com> 2018-08-03 15:52:05 (GMT)
commit: 65bb21e77e7f12e215974018b4b1febcb87c85c9 (patch)
tree: ee713d10567e5143518c9ae4213ea62edea4ab6c
parent: 53f9a3e157dbbc901a02ac2c73346d375e24978c (diff)
download: git-65bb21e77e7f12e215974018b4b1febcb87c85c9.zip
git-65bb21e77e7f12e215974018b4b1febcb87c85c9.tar.gz
git-65bb21e77e7f12e215974018b4b1febcb87c85c9.tar.bz2
1 files changed, 3 insertions, 0 deletions
diff --git a/color.c b/color.c
index b1c24c6..ebb222e 100644
--- a/color.c
+++ b/color.c
@@ -343,6 +343,9 @@ int want_color_fd(int fd, int var)
 
 	static int want_auto[3] = { -1, -1, -1 };
 
+	if (fd < 1 || fd >= ARRAY_SIZE(want_auto))
+		BUG("file descriptor out of range: %d", fd);
+
 	if (var < 0)
 		var = git_use_color_default;
author	Eric Sunshine <sunshine@sunshineco.com>	2018-08-03 06:07:49 (GMT)
committer	Junio C Hamano <gitster@pobox.com>	2018-08-03 15:52:05 (GMT)
commit	65bb21e77e7f12e215974018b4b1febcb87c85c9 (patch)
tree	ee713d10567e5143518c9ae4213ea62edea4ab6c
parent	53f9a3e157dbbc901a02ac2c73346d375e24978c (diff)
download	git-65bb21e77e7f12e215974018b4b1febcb87c85c9.zip git-65bb21e77e7f12e215974018b4b1febcb87c85c9.tar.gz git-65bb21e77e7f12e215974018b4b1febcb87c85c9.tar.bz2