diff options
author | Jeff King <peff@peff.net> | 2014-08-23 07:32:37 +0200 |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2014-08-25 21:20:57 +0200 |
commit | c252785982c268e5c969900c677322744d09f52e (patch) | |
tree | 23f0fdc47e95e924827fc3039351f09a482f1eca | |
parent | fast-import: clean up pack_data pointer in end_packfile (diff) | |
download | git-c252785982c268e5c969900c677322744d09f52e.tar.xz git-c252785982c268e5c969900c677322744d09f52e.zip |
fast-import: fix buffer overflow in dump_tags
When creating a new annotated tag, we sprintf the refname
into a static-sized buffer. If we have an absurdly long
tagname, like:
git init repo &&
cd repo &&
git commit --allow-empty -m foo &&
git tag -m message mytag &&
git fast-export mytag |
perl -lpe '/^tag/ and s/mytag/"a" x 8192/e' |
git fast-import <input
we'll overflow the buffer. We can fix it by using a strbuf.
Signed-off-by: Jeff King <peff@peff.net>
Reviewed-by: Michael Haggerty <mhagger@alum.mit.edu>
Reviewed-by: Ronnie Sahlberg <sahlberg@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
-rw-r--r-- | fast-import.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/fast-import.c b/fast-import.c index 92b3186326..6475febe99 100644 --- a/fast-import.c +++ b/fast-import.c @@ -1730,14 +1730,16 @@ static void dump_tags(void) static const char *msg = "fast-import"; struct tag *t; struct ref_lock *lock; - char ref_name[PATH_MAX]; + struct strbuf ref_name = STRBUF_INIT; for (t = first_tag; t; t = t->next_tag) { - sprintf(ref_name, "tags/%s", t->name); - lock = lock_ref_sha1(ref_name, NULL); + strbuf_reset(&ref_name); + strbuf_addf(&ref_name, "tags/%s", t->name); + lock = lock_ref_sha1(ref_name.buf, NULL); if (!lock || write_ref_sha1(lock, t->sha1, msg) < 0) - failure |= error("Unable to update %s", ref_name); + failure |= error("Unable to update %s", ref_name.buf); } + strbuf_release(&ref_name); } static void dump_marks_helper(FILE *f, |