diff options
author | Patrick Steinhardt <ps@pks.im> | 2022-12-01 14:46:49 (GMT) |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2022-12-09 05:26:21 (GMT) |
commit | 48050c42c73c28b0c001d63d11dffac7e116847b (patch) | |
tree | fbea2ce85a3b749345fd987b13277e8f7ab26e00 /pretty.c | |
parent | 1de69c0cdd388b0a5b7bdde0bfa0bda514a354b0 (diff) | |
download | git-48050c42c73c28b0c001d63d11dffac7e116847b.zip git-48050c42c73c28b0c001d63d11dffac7e116847b.tar.gz git-48050c42c73c28b0c001d63d11dffac7e116847b.tar.bz2 |
pretty: fix integer overflow in wrapping format
The `%w(width,indent1,indent2)` formatting directive can be used to
rewrap text to a specific width and is designed after git-shortlog(1)'s
`-w` parameter. While the three parameters are all stored as `size_t`
internally, `strbuf_add_wrapped_text()` accepts integers as input. As a
result, the casted integers may overflow. As these now-negative integers
are later on passed to `strbuf_addchars()`, we will ultimately run into
implementation-defined behaviour due to casting a negative number back
to `size_t` again. On my platform, this results in trying to allocate
9000 petabyte of memory.
Fix this overflow by using `cast_size_t_to_int()` so that we reject
inputs that cannot be represented as an integer.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'pretty.c')
-rw-r--r-- | pretty.c | 4 |
1 files changed, 3 insertions, 1 deletions
@@ -915,7 +915,9 @@ static void strbuf_wrap(struct strbuf *sb, size_t pos, if (pos) strbuf_add(&tmp, sb->buf, pos); strbuf_add_wrapped_text(&tmp, sb->buf + pos, - (int) indent1, (int) indent2, (int) width); + cast_size_t_to_int(indent1), + cast_size_t_to_int(indent2), + cast_size_t_to_int(width)); strbuf_swap(&tmp, sb); strbuf_release(&tmp); } |