unique_path: fix unlikely heap overflow

diff --git a/builtin/replace.c b/builtin/replace.c
index 3da1bae0a60942f3aad5362f12a4e1db42589f32..1bb491d3c4f282e7f68d25cae0e00f419df1dd93 100644 (file)
--- a/builtin/replace.c
+++ b/builtin/replace.c
@@ -16,6 +16,7 @@
 
 static const char * const git_replace_usage[] = {
        N_("git replace [-f] <object> <replacement>"),
+       N_("git replace [-f] --edit <object>"),
        N_("git replace -d <object>..."),
        N_("git replace [--format=<format>] [-l [<pattern>]]"),
        NULL
@@ -124,6 +125,25 @@ static int delete_replace_ref(const char *name, const char *ref,
        return 0;
 }
 
+static void check_ref_valid(unsigned char object[20],
+                           unsigned char prev[20],
+                           char *ref,
+                           int ref_size,
+                           int force)
+{
+       if (snprintf(ref, ref_size,
+                    "refs/replace/%s",
+                    sha1_to_hex(object)) > ref_size - 1)
+               die("replace ref name too long: %.*s...", 50, ref);
+       if (check_refname_format(ref, 0))
+               die("'%s' is not a valid ref name.", ref);
+
+       if (read_ref(ref, prev))
+               hashclr(prev);
+       else if (!force)
+               die("replace ref '%s' already exists", ref);
+}
+
 static int replace_object_sha1(const char *object_ref,
                               unsigned char object[20],
                               const char *replace_ref,
@@ -135,13 +155,6 @@ static int replace_object_sha1(const char *object_ref,
        char ref[PATH_MAX];
        struct ref_lock *lock;
 
-       if (snprintf(ref, sizeof(ref),
-                    "refs/replace/%s",
-                    sha1_to_hex(object)) > sizeof(ref) - 1)
-               die("replace ref name too long: %.*s...", 50, ref);
-       if (check_refname_format(ref, 0))
-               die("'%s' is not a valid ref name.", ref);
-
        obj_type = sha1_object_info(object, NULL);
        repl_type = sha1_object_info(repl, NULL);
        if (!force && obj_type != repl_type)
@@ -151,10 +164,7 @@ static int replace_object_sha1(const char *object_ref,
                    object_ref, typename(obj_type),
                    replace_ref, typename(repl_type));
 
-       if (read_ref(ref, prev))
-               hashclr(prev);
-       else if (!force)
-               die("replace ref '%s' already exists", ref);
+       check_ref_valid(object, prev, ref, sizeof(ref), force);
 
        lock = lock_any_ref_for_update(ref, prev, 0, NULL);
        if (!lock)
@@ -259,7 +269,8 @@ static int edit_and_replace(const char *object_ref, int force)
 {
        char *tmpfile = git_pathdup("REPLACE_EDITOBJ");
        enum object_type type;
-       unsigned char old[20], new[20];
+       unsigned char old[20], new[20], prev[20];
+       char ref[PATH_MAX];
 
        if (get_sha1(object_ref, old) < 0)
                die("Not a valid object name: '%s'", object_ref);
@@ -268,6 +279,8 @@ static int edit_and_replace(const char *object_ref, int force)
        if (type < 0)
                die("unable to get object type for %s", sha1_to_hex(old));
 
+       check_ref_valid(old, prev, ref, sizeof(ref), force);
+
        export_object(old, tmpfile);
        if (launch_editor(tmpfile, NULL, NULL) < 0)
                die("editing object file failed");
@@ -275,6 +288,9 @@ static int edit_and_replace(const char *object_ref, int force)
 
        free(tmpfile);
 
+       if (!hashcmp(old, new))
+               return error("new object is the same as the old one: '%s'", sha1_to_hex(old));
+
        return replace_object_sha1(object_ref, old, "replacement", new, force);
 }