pathspec: handle non-terminated strings with :(attr)

The pathspec code always takes names to be matched as a
name/namelen pair, but match_attrs() never looks at namelen,
and just treats "name" like a NUL-terminated string, passing
it to git_check_attr().

This usually works anyway. Every caller passes a
NUL-terminated string, and in all but one the passed-in
length is the same as the length of the string (the
exception is dir_path_match(), which may pass a smaller
length to drop a trailing slash). So we won't currently ever
read random memory, and the one case I found actually
happens to work correctly because the attr code can handle
the trailing slash itself.

But it's still worth addressing, as the function interface
implies that the name does not have to be NUL-terminated,
making this an accident waiting to happen.

Since teaching git_check_attr() to take a ptr/len pair would
be a big refactor, we'll just allocate a new string. We can
do this only when necessary, which avoids paying the cost
for most callers.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/dir.c b/dir.c
index 47c2fca8dc33970a1f4f041360ef954da6fa75a8..ab6477d777e96cb9789f1c6b3220af349731a701 100644 (file)
--- a/dir.c
+++ b/dir.c
@@ -281,8 +281,15 @@ static int match_attrs(const struct index_state *istate,
                       const struct pathspec_item *item)
 {
        int i;
+       char *to_free = NULL;
+
+       if (name[namelen])
+               name = to_free = xmemdupz(name, namelen);
 
        git_check_attr(istate, name, item->attr_check);
+
+       free(to_free);
+
        for (i = 0; i < item->attr_match_nr; i++) {
                const char *value;
                int matched;