From a0393ef67679ea7720290bd45d9d628920df59f3 Mon Sep 17 00:00:00 2001
From: Martin Koegler <mkoegler@auto.tuwien.ac.at>
Date: Sun, 6 Jan 2008 20:03:10 +0100
Subject: parse_tag_buffer: don't parse invalid tags

The current tag parsing code can access memory outside the tag buffer,
if \n are missing. This patch prevent this behaviour.

Signed-off-by: Martin Koegler <mkoegler@auto.tuwien.ac.at>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/tag.c b/tag.c
index f62bcdd..38bf913 100644
--- a/tag.c
+++ b/tag.c
@@ -39,6 +39,7 @@ int parse_tag_buffer(struct tag *item, void *data, unsigned long size)
 	unsigned char sha1[20];
 	const char *type_line, *tag_line, *sig_line;
 	char type[20];
+	const char *start = data;
 
         if (item->object.parsed)
                 return 0;
@@ -53,11 +54,11 @@ int parse_tag_buffer(struct tag *item, void *data, unsigned long size)
 	if (memcmp("\ntype ", type_line-1, 6))
 		return -1;
 
-	tag_line = strchr(type_line, '\n');
+	tag_line = memchr(type_line, '\n', size - (type_line - start));
 	if (!tag_line || memcmp("tag ", ++tag_line, 4))
 		return -1;
 
-	sig_line = strchr(tag_line, '\n');
+	sig_line = memchr(tag_line, '\n', size - (tag_line - start));
 	if (!sig_line)
 		return -1;
 	sig_line++;
-- 
cgit v0.10.2-6-g49f6