summaryrefslogtreecommitdiff
path: root/worktree.c
diff options
context:
space:
mode:
authorLibravatar Phillip Wood <phillip.wood@dunelm.org.uk>2018-10-04 11:07:41 +0100
committerLibravatar Junio C Hamano <gitster@pobox.com>2018-10-04 22:47:26 -0700
commit74d156f4a1b1d563b422127ee347eaa348973a0c (patch)
tree64941cf83b6582e066c14ae27d01297d194153c1 /worktree.c
parentSecond batch post 2.19 (diff)
downloadtgif-74d156f4a1b1d563b422127ee347eaa348973a0c.tar.xz
diff --color-moved-ws: fix double free crash
Running git diff --color-moved-ws=allow-indentation-change v2.18.0 v2.19.0 results in a crash due to a double free. This happens when two potential moved blocks start with consecutive lines. As pmb_advance_or_null_multi_match() advances it copies the ws_delta from the last matching line to the next. When the first of our consecutive lines is advanced its ws_delta well be copied to the second, overwriting the ws_delta of the block containing the second line. Then when the second line is advanced it will copy the new ws_delta to the line below it and so on. Eventually one of these blocks will stop matching and the ws_delta will be freed. From then on the other block is in a use-after-free state and when it stops matching it will try to free the ws_delta that has already been freed by the other block. The solution is to store the ws_delta in the array of potential moved blocks rather than with the lines. This means that it no longer needs to be copied around and one block cannot overwrite the ws_delta of another. Additionally it saves some malloc/free calls as we don't keep allocating and freeing ws_deltas. Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk> Reviewed-by: Stefan Beller <sbeller@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'worktree.c')
0 files changed, 0 insertions, 0 deletions