diff options
| author | Jeff King <peff@peff.net> | 2021-08-09 18:48:48 -0400 |
|---|---|---|
| committer | Johannes Schindelin <johannes.schindelin@gmx.de> | 2023-03-12 20:31:55 +0100 |
| commit | c025b4b2f1ee0cd9eed2e900c03780683294bb18 (patch) | |
| tree | c637de91bbf4dff9bb88cd2b7ab50d0df8a51ab1 /compat/regex/regexec.c | |
| parent | a36df79a37c7c643177905ce725dca8e9bd092d3 (diff) | |
range-diff: use ssize_t for parsed "len" in read_patches()
As we iterate through the buffer containing git-log output, parsing
lines, we use an "int" to store the size of an individual line. This
should be a size_t, as we have no guarantee that there is not a
malicious 2GB+ commit-message line in the output.
Overflowing this integer probably doesn't do anything _too_ terrible. We
are not using the value to size a buffer, so the worst case is probably
an out-of-bounds read from before the array. But it's easy enough to
fix.
Note that we have to use ssize_t here, since we also store the length
result from parse_git_diff_header(), which may return a negative value
for error. That function actually returns an int itself, which has a
similar overflow problem, but I'll leave that for another day. Much
of the apply.c code uses ints and should be converted as a whole; in the
meantime, a negative return from parse_git_diff_header() will be
interpreted as an error, and we'll bail (so we can't handle such a case,
but given that it's likely to be malicious anyway, the important thing
is we don't have any memory errors).
Signed-off-by: Jeff King <peff@peff.net>
Acked-by: Derrick Stolee <dstolee@microsoft.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'compat/regex/regexec.c')
0 files changed, 0 insertions, 0 deletions