summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLibravatar Dmitry Potapov <dpotapov@gmail.com>2008-07-16 19:33:29 +0400
committerLibravatar Junio C Hamano <gitster@pobox.com>2008-07-16 13:30:34 -0700
commit620e2bb93785ed8eb60846d94fd4753d4817c8ec (patch)
treec7c2c34dc1d9ec69fd233fe6e8a53934cf18d154
parentgit-cvsserver: fix call to nonexistant cleanupWorkDir() (diff)
downloadtgif-620e2bb93785ed8eb60846d94fd4753d4817c8ec.tar.xz
Fix buffer overflow in git-grep
If PATH_MAX on your system is smaller than any path stored in the git repository, that can cause memory corruption inside of the grep_tree function used by git-grep. Signed-off-by: Dmitry Potapov <dpotapov@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
-rw-r--r--builtin-grep.c27
1 files changed, 15 insertions, 12 deletions
diff --git a/builtin-grep.c b/builtin-grep.c
index ef299108f5..647535061c 100644
--- a/builtin-grep.c
+++ b/builtin-grep.c
@@ -427,33 +427,35 @@ static int grep_tree(struct grep_opt *opt, const char **paths,
struct name_entry entry;
char *down;
int tn_len = strlen(tree_name);
- char *path_buf = xmalloc(PATH_MAX + tn_len + 100);
+ struct strbuf pathbuf;
+
+ strbuf_init(&pathbuf, PATH_MAX + tn_len);
if (tn_len) {
- tn_len = sprintf(path_buf, "%s:", tree_name);
- down = path_buf + tn_len;
- strcat(down, base);
- }
- else {
- down = path_buf;
- strcpy(down, base);
+ strbuf_add(&pathbuf, tree_name, tn_len);
+ strbuf_addch(&pathbuf, ':');
+ tn_len = pathbuf.len;
}
- len = strlen(path_buf);
+ strbuf_addstr(&pathbuf, base);
+ len = pathbuf.len;
while (tree_entry(tree, &entry)) {
- strcpy(path_buf + len, entry.path);
+ int te_len = tree_entry_len(entry.path, entry.sha1);
+ pathbuf.len = len;
+ strbuf_add(&pathbuf, entry.path, te_len);
if (S_ISDIR(entry.mode))
/* Match "abc/" against pathspec to
* decide if we want to descend into "abc"
* directory.
*/
- strcpy(path_buf + len + tree_entry_len(entry.path, entry.sha1), "/");
+ strbuf_addch(&pathbuf, '/');
+ down = pathbuf.buf + tn_len;
if (!pathspec_matches(paths, down))
;
else if (S_ISREG(entry.mode))
- hit |= grep_sha1(opt, entry.sha1, path_buf, tn_len);
+ hit |= grep_sha1(opt, entry.sha1, pathbuf.buf, tn_len);
else if (S_ISDIR(entry.mode)) {
enum object_type type;
struct tree_desc sub;
@@ -469,6 +471,7 @@ static int grep_tree(struct grep_opt *opt, const char **paths,
free(data);
}
}
+ strbuf_release(&pathbuf);
return hit;
}