path: root/unpack-trees.c
diff options
authorJeff King <>2019-07-31 04:38:25 (GMT)
committerJunio C Hamano <>2019-08-01 20:06:52 (GMT)
commit5aa02f98685d78666293149087d3f69b97528cfb (patch)
tree415bcf89bae3179e7b5ab78aa461482c46e69b96 /unpack-trees.c
parentc43ab062598d0299ea6e0d115a6018189a7793bf (diff)
tree-walk: harden make_traverse_path() length computations
The make_traverse_path() function isn't very careful about checking its output buffer boundaries. In fact, it doesn't even _know_ the size of the buffer it's writing to, and just assumes that the caller used traverse_path_len() correctly. And even then we assume that our traverse_info.pathlen components are all correct, and just blindly write into the buffer. Let's improve this situation a bit: - have the caller pass in their allocated buffer length, which we'll check against our own computations - check for integer underflow as we do our backwards-insertion of pathnames into the buffer - check that we do not run out items in our list to traverse before we've filled the expected number of bytes None of these should be triggerable in practice (especially since our switch to size_t everywhere in a previous commit), but it doesn't hurt to check our assumptions. Signed-off-by: Jeff King <> Signed-off-by: Junio C Hamano <>
Diffstat (limited to 'unpack-trees.c')
1 files changed, 2 insertions, 1 deletions
diff --git a/unpack-trees.c b/unpack-trees.c
index c3059c2..65c4677 100644
--- a/unpack-trees.c
+++ b/unpack-trees.c
@@ -968,7 +968,8 @@ static struct cache_entry *create_ce_entry(const struct traverse_info *info,
ce->ce_flags = create_ce_flags(stage);
ce->ce_namelen = len;
oidcpy(&ce->oid, &n->oid);
- make_traverse_path(ce->name, info, n->path, n->pathlen);
+ /* len+1 because the cache_entry allocates space for NUL */
+ make_traverse_path(ce->name, len + 1, info, n->path, n->pathlen);
return ce;