diff options
author | Johannes Schindelin <johannes.schindelin@gmx.de> | 2017-04-13 21:21:58 +0200 |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2017-04-13 17:53:08 -0700 |
commit | 882add136fa8319832ef373b8797ef58edb80efc (patch) | |
tree | e36f9c09c1461ff5c06e047946f4eac680184413 /t/t1005-read-tree-reset.sh | |
parent | difftool: avoid strcpy (diff) | |
download | tgif-882add136fa8319832ef373b8797ef58edb80efc.tar.xz |
difftool: fix use-after-free
The left and right base directories were pointed to the buf field of
two strbufs, which were subject to change.
A contrived test case shows the problem where a file with a long enough
name to force the strbuf to grow is up-to-date (hence the code path is
used where the work tree's version of the file is reused), and then a
file that is not up-to-date needs to be written (hence the code path is
used where checkout_entry() uses the previously recorded base_dir that
is invalid by now).
Let's just copy the base_dir strings for use with checkout_entry(),
never touch them until the end, and release them then. This is an easily
verifiable fix (as opposed to the next-obvious alternative: to re-set
base_dir after every loop iteration).
This fixes https://github.com/git-for-windows/git/issues/1124
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 't/t1005-read-tree-reset.sh')
0 files changed, 0 insertions, 0 deletions