diff options
author | Dmitry Potapov <dpotapov@gmail.com> | 2008-07-16 19:33:29 +0400 |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2008-07-16 13:30:34 -0700 |
commit | 620e2bb93785ed8eb60846d94fd4753d4817c8ec (patch) | |
tree | c7c2c34dc1d9ec69fd233fe6e8a53934cf18d154 | |
parent | df4b3abc941a0f876c3b1f5490e6ea01a4fb62cf (diff) | |
download | git-620e2bb93785ed8eb60846d94fd4753d4817c8ec.tar.gz |
Fix buffer overflow in git-grep
If PATH_MAX on your system is smaller than any path stored in the git
repository, that can cause memory corruption inside of the grep_tree
function used by git-grep.
Signed-off-by: Dmitry Potapov <dpotapov@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
-rw-r--r-- | builtin-grep.c | 27 |
1 files changed, 15 insertions, 12 deletions
diff --git a/builtin-grep.c b/builtin-grep.c index ef299108f5..647535061c 100644 --- a/builtin-grep.c +++ b/builtin-grep.c @@ -427,33 +427,35 @@ static int grep_tree(struct grep_opt *opt, const char **paths, struct name_entry entry; char *down; int tn_len = strlen(tree_name); - char *path_buf = xmalloc(PATH_MAX + tn_len + 100); + struct strbuf pathbuf; + + strbuf_init(&pathbuf, PATH_MAX + tn_len); if (tn_len) { - tn_len = sprintf(path_buf, "%s:", tree_name); - down = path_buf + tn_len; - strcat(down, base); - } - else { - down = path_buf; - strcpy(down, base); + strbuf_add(&pathbuf, tree_name, tn_len); + strbuf_addch(&pathbuf, ':'); + tn_len = pathbuf.len; } - len = strlen(path_buf); + strbuf_addstr(&pathbuf, base); + len = pathbuf.len; while (tree_entry(tree, &entry)) { - strcpy(path_buf + len, entry.path); + int te_len = tree_entry_len(entry.path, entry.sha1); + pathbuf.len = len; + strbuf_add(&pathbuf, entry.path, te_len); if (S_ISDIR(entry.mode)) /* Match "abc/" against pathspec to * decide if we want to descend into "abc" * directory. */ - strcpy(path_buf + len + tree_entry_len(entry.path, entry.sha1), "/"); + strbuf_addch(&pathbuf, '/'); + down = pathbuf.buf + tn_len; if (!pathspec_matches(paths, down)) ; else if (S_ISREG(entry.mode)) - hit |= grep_sha1(opt, entry.sha1, path_buf, tn_len); + hit |= grep_sha1(opt, entry.sha1, pathbuf.buf, tn_len); else if (S_ISDIR(entry.mode)) { enum object_type type; struct tree_desc sub; @@ -469,6 +471,7 @@ static int grep_tree(struct grep_opt *opt, const char **paths, free(data); } } + strbuf_release(&pathbuf); return hit; } |