Skip to content

Commit

Permalink
parse_tag_buffer(): do not prefixcmp() out of range
Browse files Browse the repository at this point in the history 
There is a check (size < 64) at the beginning of the function, but
that only covers object+type lines.

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
  • Loading branch information
Nguyễn Thái Ngọc Duy authored and Junio C Hamano committed Feb 16, 2011
1 parent 24231e0 commit 8559425
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions tag.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,9 @@ int parse_tag_buffer(struct tag *item, const void *data, unsigned long size)
item->tagged = NULL;
}

if (prefixcmp(bufptr, "tag "))
if (bufptr + 4 < tail && !prefixcmp(bufptr, "tag "))
; /* good */
else
return -1;
bufptr += 4;
nl = memchr(bufptr, '\n', tail - bufptr);
Expand All @@ -106,7 +108,7 @@ int parse_tag_buffer(struct tag *item, const void *data, unsigned long size)
item->tag = xmemdupz(bufptr, nl - bufptr);
bufptr = nl + 1;

if (!prefixcmp(bufptr, "tagger "))
if (bufptr + 7 < tail && !prefixcmp(bufptr, "tagger "))
item->date = parse_tag_date(bufptr, tail);
else
item->date = 0;
Expand Down

0 comments on commit 8559425

Please sign in to comment.