summaryrefslogtreecommitdiffstats
path: root/tree-walk.c
diff options
context:
space:
mode:
authorMartin Koegler <mkoegler@auto.tuwien.ac.at>2008-01-06 18:21:10 +0100
committerJunio C Hamano <gitster@pobox.com>2008-01-07 03:41:44 +0100
commit64cc1c0909949fa2866ad71ad2d1ab7ccaa673d9 (patch)
tree38dc3d651f1edfacaff677744056e9870b8f27ea /tree-walk.c
parentDocument the color.interactive semantics (diff)
downloadgit-64cc1c0909949fa2866ad71ad2d1ab7ccaa673d9.tar.xz
git-64cc1c0909949fa2866ad71ad2d1ab7ccaa673d9.zip
tree-walk: don't parse incorrect entries
The current code can access memory outside of the tree buffer in the case of malformed tree entries. This patch prevents this by: * The rest of the buffer must be at least 24 bytes (at least 1 byte mode, 1 blank, at least one byte path name, 1 NUL, 20 bytes sha1). * Check that the last NUL (21 bytes before the end) is present. This ensures that strlen() and get_mode() calls stay within the buffer. * The mode may not be empty. We have only to reject a blank at the begin, as the rest is handled by if (c < '0' || c > '7'). * The blank is ensured by get_mode(). * The path must contain at least one character. Signed-off-by: Martin Koegler <mkoegler@auto.tuwien.ac.at> Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'tree-walk.c')
-rw-r--r--tree-walk.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/tree-walk.c b/tree-walk.c
index 8d4b67317f..142205ddc3 100644
--- a/tree-walk.c
+++ b/tree-walk.c
@@ -7,6 +7,9 @@ static const char *get_mode(const char *str, unsigned int *modep)
unsigned char c;
unsigned int mode = 0;
+ if (*str == ' ')
+ return NULL;
+
while ((c = *str++) != ' ') {
if (c < '0' || c > '7')
return NULL;
@@ -16,13 +19,16 @@ static const char *get_mode(const char *str, unsigned int *modep)
return str;
}
-static void decode_tree_entry(struct tree_desc *desc, const void *buf, unsigned long size)
+static void decode_tree_entry(struct tree_desc *desc, const char *buf, unsigned long size)
{
const char *path;
unsigned int mode, len;
+ if (size < 24 || buf[size - 21])
+ die("corrupt tree file");
+
path = get_mode(buf, &mode);
- if (!path)
+ if (!path || !*path)
die("corrupt tree file");
len = strlen(path) + 1;