From 45d76f17182278d4c1de37b3eed60beb3b2f21ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nguy=E1=BB=85n=20Th=C3=A1i=20Ng=E1=BB=8Dc=20Duy?= Date: Wed, 20 Jan 2010 21:09:16 +0700 Subject: Fix memory corruption when .gitignore does not end by \n MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Commit b5041c5 (Avoid writing to buffer in add_excludes_from_file_1()) tried not to append '\n' at the end because the next commit may return a buffer that does not have extra space for that. Unfortunately it left this assignment in the loop: buf[i - (i && buf[i-1] == '\r')] = 0; that can corrupt memory if "buf" is not '\n' terminated. But even if it does not corrupt memory, the last line would not be NULL-terminated, leading to errors later inside add_exclude(). This patch fixes it by reverting the faulty commit and make sure "buf" is always \n terminated. While at it, free unused memory properly. Signed-off-by: Nguyễn Thái Ngọc Duy Signed-off-by: Junio C Hamano diff --git a/dir.c b/dir.c index 1538ad5..67c3af6 100644 --- a/dir.c +++ b/dir.c @@ -242,6 +242,14 @@ int add_excludes_from_file_to_list(const char *fname, if (!check_index || (buf = read_skip_worktree_file_from_index(fname, &size)) == NULL) return -1; + if (size == 0) { + free(buf); + return 0; + } + if (buf[size-1] != '\n') { + buf = xrealloc(buf, size+1); + buf[size++] = '\n'; + } } else { size = xsize_t(st.st_size); @@ -249,19 +257,21 @@ int add_excludes_from_file_to_list(const char *fname, close(fd); return 0; } - buf = xmalloc(size); + buf = xmalloc(size+1); if (read_in_full(fd, buf, size) != size) { + free(buf); close(fd); return -1; } + buf[size++] = '\n'; close(fd); } if (buf_p) *buf_p = buf; entry = buf; - for (i = 0; i <= size; i++) { - if (i == size || buf[i] == '\n') { + for (i = 0; i < size; i++) { + if (buf[i] == '\n') { if (entry != buf + i && entry[0] != '#') { buf[i - (i && buf[i-1] == '\r')] = 0; add_exclude(entry, base, baselen, which); -- cgit v0.10.2-6-g49f6