summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMartin Koegler <mkoegler@auto.tuwien.ac.at>2008-01-06 19:03:10 (GMT)
committerJunio C Hamano <gitster@pobox.com>2008-01-07 02:41:44 (GMT)
commita0393ef67679ea7720290bd45d9d628920df59f3 (patch)
treefc6b9ce6502087710dadcaa4b2d1f65262c77a3c
parent5162e69732d13dd079919a389a6ace8878aad716 (diff)
downloadgit-a0393ef67679ea7720290bd45d9d628920df59f3.zip
git-a0393ef67679ea7720290bd45d9d628920df59f3.tar.gz
git-a0393ef67679ea7720290bd45d9d628920df59f3.tar.bz2
parse_tag_buffer: don't parse invalid tags
The current tag parsing code can access memory outside the tag buffer, if \n are missing. This patch prevent this behaviour. Signed-off-by: Martin Koegler <mkoegler@auto.tuwien.ac.at> Signed-off-by: Junio C Hamano <gitster@pobox.com>
-rw-r--r--tag.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/tag.c b/tag.c
index f62bcdd..38bf913 100644
--- a/tag.c
+++ b/tag.c
@@ -39,6 +39,7 @@ int parse_tag_buffer(struct tag *item, void *data, unsigned long size)
unsigned char sha1[20];
const char *type_line, *tag_line, *sig_line;
char type[20];
+ const char *start = data;
if (item->object.parsed)
return 0;
@@ -53,11 +54,11 @@ int parse_tag_buffer(struct tag *item, void *data, unsigned long size)
if (memcmp("\ntype ", type_line-1, 6))
return -1;
- tag_line = strchr(type_line, '\n');
+ tag_line = memchr(type_line, '\n', size - (type_line - start));
if (!tag_line || memcmp("tag ", ++tag_line, 4))
return -1;
- sig_line = strchr(tag_line, '\n');
+ sig_line = memchr(tag_line, '\n', size - (tag_line - start));
if (!sig_line)
return -1;
sig_line++;