summaryrefslogtreecommitdiff
path: root/builtin-update-ref.c
diff options
context:
space:
mode:
authorJonathan Nieder <jrnieder@gmail.com>2010-04-19 03:03:40 -0500
committerJunio C Hamano <gitster@pobox.com>2010-04-19 22:16:35 -0700
commit97a20eea199f490760cc25b1b7df28361f54e536 (patch)
treefb44adfef431d3a230420a11056b23b39b4d1769 /builtin-update-ref.c
parentf62e0a39b69c2752b92f01bb05a6676639f46a65 (diff)
downloadgit-97a20eea199f490760cc25b1b7df28361f54e536.tar.gz
fix "bundle --stdin" segfault
When passed an empty list, objects_array_remove_duplicates() corrupts it by changing the number of entries from 0 to 1. The problem lies in the condition of its main loop: for (ref = 0; ref < array->nr - 1; ref++) { The loop body manipulates the supplied object array. In the case of an empty array, it should not be doing anything at all. But array->nr is an unsigned quantity, so the code enters the loop, in particular increasing array->nr. Fix this by comparing (ref + 1 < array->nr) instead. This bug can be triggered by git bundle --stdin: $ echo HEAD | git bundle create some.bundle --stdin’ Segmentation fault (core dumped) The list of commits to bundle appears to be empty because of another bug: by the time the revision-walking machinery gets to look at it, standard input has already been consumed by rev-list, so this function gets an empty list of revisions. After this patch, git bundle --stdin still does not work; it just doesn’t segfault any more. Reported-by: Joey Hess <joey@kitenet.net> Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'builtin-update-ref.c')
0 files changed, 0 insertions, 0 deletions