Merge branch 'maint'

diff --git a/receive-pack.c b/receive-pack.c
index fba4cf82353ff43eae7430c863680f481e03dcb0..326749583221d0f5e81f58608a23ab1dc1601177 100644 (file)
--- a/receive-pack.c
+++ b/receive-pack.c
@@ -165,7 +165,8 @@ static const char *update(struct command *cmd)
        unsigned char *new_sha1 = cmd->new_sha1;
        struct ref_lock *lock;
 
-       if (!prefixcmp(name, "refs/") && check_ref_format(name + 5)) {
+       /* only refs/... are allowed */
+       if (prefixcmp(name, "refs/") || check_ref_format(name + 5)) {
                error("refusing to create funny ref '%s' remotely", name);
                return "funny refname";
        }
@@ -178,11 +179,21 @@ static const char *update(struct command *cmd)
        if (deny_non_fast_forwards && !is_null_sha1(new_sha1) &&
            !is_null_sha1(old_sha1) &&
            !prefixcmp(name, "refs/heads/")) {
+               struct object *old_object, *new_object;
                struct commit *old_commit, *new_commit;
                struct commit_list *bases, *ent;
 
-               old_commit = (struct commit *)parse_object(old_sha1);
-               new_commit = (struct commit *)parse_object(new_sha1);
+               old_object = parse_object(old_sha1);
+               new_object = parse_object(new_sha1);
+
+               if (!old_object || !new_object ||
+                   old_object->type != OBJ_COMMIT ||
+                   new_object->type != OBJ_COMMIT) {
+                       error("bad sha1 objects for %s", name);
+                       return "bad ref";
+               }
+               old_commit = (struct commit *)old_object;
+               new_commit = (struct commit *)new_object;
                bases = get_merge_bases(old_commit, new_commit, 1);
                for (ent = bases; ent; ent = ent->next)
                        if (!hashcmp(old_sha1, ent->item->object.sha1))