path: root/builtin/mv.c
diff options
authorJohn Keeping <>2014-03-08 19:29:17 (GMT)
committerJunio C Hamano <>2014-03-11 21:44:21 (GMT)
commit89ccc1b09cf4004e6129c66def42b47206ed6b5f (patch)
tree58dc634d9e32bd49cc5a4d4e0584b389493e985f /builtin/mv.c
parent7bbc4e8fdb33e0a8e42e77cc05460d4c4f615f4d (diff)
builtin/mv: fix out of bounds write
When commit a88c915 (mv: move submodules using a gitfile, 2013-07-30) added the submodule_gitfile array, it was not added to the block that enlarges the arrays when we are moving a directory so that we do not have to worry about it being a directory when we perform the actual move. After this, the loop continues over the enlarged set of sources. Since we assume that submodule_gitfile has size argc, if any of the items in the source directory are submodules we are guaranteed to write beyond the end of submodule_gitfile. Fix this by realloc'ing submodule_gitfile at the same time as the other arrays. Reported-by: Guillaume Gelin <> Signed-off-by: John Keeping <> Signed-off-by: Junio C Hamano <>
Diffstat (limited to 'builtin/mv.c')
1 files changed, 4 insertions, 0 deletions
diff --git a/builtin/mv.c b/builtin/mv.c
index 21c46d1..5258077 100644
--- a/builtin/mv.c
+++ b/builtin/mv.c
@@ -179,6 +179,9 @@ int cmd_mv(int argc, const char **argv, const char *prefix)
modes = xrealloc(modes,
(argc + last - first)
* sizeof(enum update_mode));
+ submodule_gitfile = xrealloc(submodule_gitfile,
+ (argc + last - first)
+ * sizeof(char *));
dst = add_slash(dst);
@@ -192,6 +195,7 @@ int cmd_mv(int argc, const char **argv, const char *prefix)
prefix_path(dst, dst_len,
path + length + 1);
modes[argc + j] = INDEX;
+ submodule_gitfile[argc + j] = NULL;
argc += last - first;