Andrew's git / gitweb.git / diff
?
parse_tag_buffer: don't parse invalid tags
authorMartin Koegler <mkoegler@auto.tuwien.ac.at>
Sun, 6 Jan 2008 19:03:10 +0000 (20:03 +0100)
committerJunio C Hamano <gitster@pobox.com>
Mon, 7 Jan 2008 02:41:44 +0000 (18:41 -0800)
The current tag parsing code can access memory outside the tag buffer,
if \n are missing. This patch prevent this behaviour.

Signed-off-by: Martin Koegler <mkoegler@auto.tuwien.ac.at>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
tag.c patch | blob | history
diff --git a/tag.c b/tag.c
index f62bcdd994509323080683ce19c1a4d8241f9dec..38bf9134f97c18973fe189c8703438f5e1135e49 100644 (file)
--- a/tag.c
+++ b/tag.c
@@ -39,6 +39,7 @@ int parse_tag_buffer(struct tag *item, void *data, unsigned long size)
        unsigned char sha1[20];
        const char *type_line, *tag_line, *sig_line;
        char type[20];
        unsigned char sha1[20];
        const char *type_line, *tag_line, *sig_line;
        char type[20];
+       const char *start = data;
 
         if (item->object.parsed)
                 return 0;
 
         if (item->object.parsed)
                 return 0;
@@ -53,11 +54,11 @@ int parse_tag_buffer(struct tag *item, void *data, unsigned long size)
        if (memcmp("\ntype ", type_line-1, 6))
                return -1;
 
        if (memcmp("\ntype ", type_line-1, 6))
                return -1;
 
-       tag_line = strchr(type_line, '\n');
+       tag_line = memchr(type_line, '\n', size - (type_line - start));
        if (!tag_line || memcmp("tag ", ++tag_line, 4))
                return -1;
 
        if (!tag_line || memcmp("tag ", ++tag_line, 4))
                return -1;
 
-       sig_line = strchr(tag_line, '\n');
+       sig_line = memchr(tag_line, '\n', size - (tag_line - start));
        if (!sig_line)
                return -1;
        sig_line++;
        if (!sig_line)
                return -1;
        sig_line++;