summaryrefslogtreecommitdiff
path: root/builtin-update-ref.c
diff options
context:
space:
mode:
authorLibravatar René Scharfe <rene.scharfe@lsrfire.ath.cx>2009-01-31 15:39:10 +0100
committerLibravatar Junio C Hamano <gitster@pobox.com>2009-01-31 10:39:55 -0800
commitc7cddc1a2f365e4f4aea71b700c0b833eb436fee (patch)
treebef2c12a4203ddd03aa27def6bc1fe8fefc8e451 /builtin-update-ref.c
parentavoid 31-bit truncation in write_loose_object (diff)
downloadtgif-c7cddc1a2f365e4f4aea71b700c0b833eb436fee.tar.xz
merge: fix out-of-bounds memory access
The parameter n of unpack_callback() can have a value of up to MAX_UNPACK_TREES. The check at the top of unpack_trees() (its only (indirect) caller) makes sure it cannot exceed this limit. unpack_callback() passes it and the array src to unpack_nondirectories(), which has this loop: for (i = 0; i < n; i++) { /* ... */ src[i + o->merge] = o->df_conflict_entry; o->merge can be 0 or 1, so unpack_nondirectories() potentially accesses the array src at index MAX_UNPACK_TREES. This patch makes it big enough. Reported-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: René Scharfe <rene.scharfe@lsrfire.ath.cx> Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'builtin-update-ref.c')
0 files changed, 0 insertions, 0 deletions