diff options
| author | René Scharfe <rene.scharfe@lsrfire.ath.cx> | 2009-01-31 15:39:10 +0100 | 
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2009-01-31 10:39:55 -0800 | 
| commit | c7cddc1a2f365e4f4aea71b700c0b833eb436fee (patch) | |
| tree | bef2c12a4203ddd03aa27def6bc1fe8fefc8e451 /unpack-trees.c | |
| parent | 915308b187bdaba9ad1c6c3dea7b2b4b200b4796 (diff) | |
| download | git-c7cddc1a2f365e4f4aea71b700c0b833eb436fee.tar.gz | |
merge: fix out-of-bounds memory access
The parameter n of unpack_callback() can have a value of up to
MAX_UNPACK_TREES.  The check at the top of unpack_trees() (its only
(indirect) caller) makes sure it cannot exceed this limit.
unpack_callback() passes it and the array src to unpack_nondirectories(),
which has this loop:
	for (i = 0; i < n; i++) {
		/* ... */
		src[i + o->merge] = o->df_conflict_entry;
o->merge can be 0 or 1, so unpack_nondirectories() potentially accesses
the array src at index MAX_UNPACK_TREES.  This patch makes it big enough.
Reported-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: René Scharfe <rene.scharfe@lsrfire.ath.cx>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'unpack-trees.c')
| -rw-r--r-- | unpack-trees.c | 9 | 
1 files changed, 6 insertions, 3 deletions
| diff --git a/unpack-trees.c b/unpack-trees.c index 54f301da67..4229eec123 100644 --- a/unpack-trees.c +++ b/unpack-trees.c @@ -240,8 +240,11 @@ static struct cache_entry *create_ce_entry(const struct traverse_info *info, con  	return ce;  } -static int unpack_nondirectories(int n, unsigned long mask, unsigned long dirmask, struct cache_entry *src[5], -	const struct name_entry *names, const struct traverse_info *info) +static int unpack_nondirectories(int n, unsigned long mask, +				 unsigned long dirmask, +				 struct cache_entry **src, +				 const struct name_entry *names, +				 const struct traverse_info *info)  {  	int i;  	struct unpack_trees_options *o = info->data; @@ -291,7 +294,7 @@ static int unpack_nondirectories(int n, unsigned long mask, unsigned long dirmas  static int unpack_callback(int n, unsigned long mask, unsigned long dirmask, struct name_entry *names, struct traverse_info *info)  { -	struct cache_entry *src[5] = { NULL, }; +	struct cache_entry *src[MAX_UNPACK_TREES + 1] = { NULL, };  	struct unpack_trees_options *o = info->data;  	const struct name_entry *p = names; | 
