Fix memory corruption when .gitignore does not end by \n
authorNguyễn Thái Ngọc Duy <pclouds@gmail.com>
Wed, 20 Jan 2010 14:09:16 +0000 (21:09 +0700)
committerJunio C Hamano <gitster@pobox.com>
Thu, 21 Jan 2010 04:01:52 +0000 (20:01 -0800)
Commit b5041c5 (Avoid writing to buffer in add_excludes_from_file_1())
tried not to append '\n' at the end because the next commit
may return a buffer that does not have extra space for that.

Unfortunately it left this assignment in the loop:

buf[i - (i && buf[i-1] == '\r')] = 0;

that can corrupt memory if "buf" is not '\n' terminated. But even if
it does not corrupt memory, the last line would not be
NULL-terminated, leading to errors later inside add_exclude().

This patch fixes it by reverting the faulty commit and make
sure "buf" is always \n terminated.

While at it, free unused memory properly.

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
dir.c
diff --git a/dir.c b/dir.c
index 1538ad5da30e08c03e4297ceb369b7a09a301af4..67c3af6a1a91e2acaa873587d6df5318d2fb9ba8 100644 (file)
--- a/dir.c
+++ b/dir.c
@@ -242,6 +242,14 @@ int add_excludes_from_file_to_list(const char *fname,
                if (!check_index ||
                    (buf = read_skip_worktree_file_from_index(fname, &size)) == NULL)
                        return -1;
+               if (size == 0) {
+                       free(buf);
+                       return 0;
+               }
+               if (buf[size-1] != '\n') {
+                       buf = xrealloc(buf, size+1);
+                       buf[size++] = '\n';
+               }
        }
        else {
                size = xsize_t(st.st_size);
@@ -249,19 +257,21 @@ int add_excludes_from_file_to_list(const char *fname,
                        close(fd);
                        return 0;
                }
-               buf = xmalloc(size);
+               buf = xmalloc(size+1);
                if (read_in_full(fd, buf, size) != size) {
+                       free(buf);
                        close(fd);
                        return -1;
                }
+               buf[size++] = '\n';
                close(fd);
        }
 
        if (buf_p)
                *buf_p = buf;
        entry = buf;
-       for (i = 0; i <= size; i++) {
-               if (i == size || buf[i] == '\n') {
+       for (i = 0; i < size; i++) {
+               if (buf[i] == '\n') {
                        if (entry != buf + i && entry[0] != '#') {
                                buf[i - (i && buf[i-1] == '\r')] = 0;
                                add_exclude(entry, base, baselen, which);