diff options
| author | Martin Ågren <martin.agren@gmail.com> | 2018-06-05 19:54:40 (GMT) |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2018-06-11 17:11:32 (GMT) |
| commit | 7865d157a5e8d86f46e626d933bda5c18eab196a (patch) | |
| tree | 85020468a5a58315a8210ec9045b7176535e9b31 /refspec.c | |
| parent | c495fd3d1b4b6b395346a8832edbea25f0d60ee7 (diff) | |
| download | git-7865d157a5e8d86f46e626d933bda5c18eab196a.zip git-7865d157a5e8d86f46e626d933bda5c18eab196a.tar.gz git-7865d157a5e8d86f46e626d933bda5c18eab196a.tar.bz2 | |
refspec: initalize `refspec_item` in `valid_fetch_refspec()`
We allocate a `struct refspec_item` on the stack without initializing
it. In particular, its `dst` and `src` members will contain some random
data from the stack. When we later call `refspec_item_clear()`, it will
call `free()` on those pointers. So if the call to `parse_refspec()` did
not assign to them, we will be freeing some random "pointers". This is
undefined behavior.
To the best of my understanding, this cannot currently be triggered by
user-provided data. And for what it's worth, the test-suite does not
trigger this with SANITIZE=address. It can be provoked by calling
`valid_fetch_refspec(":*")`.
Zero the struct, as is done in other users of `struct refspec_item` by
using the refspec_item_init() initialization function.
Signed-off-by: Martin Ågren <martin.agren@gmail.com>
Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'refspec.c')
| -rw-r--r-- | refspec.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -194,7 +194,7 @@ void refspec_clear(struct refspec *rs) int valid_fetch_refspec(const char *fetch_refspec_str) { struct refspec_item refspec; - int ret = parse_refspec(&refspec, fetch_refspec_str, REFSPEC_FETCH); + int ret = refspec_item_init(&refspec, fetch_refspec_str, REFSPEC_FETCH); refspec_item_clear(&refspec); return ret; } |