Skip to content

Commit

Permalink
format_sanitized_subject: Don't trim past initial length of strbuf
Browse files Browse the repository at this point in the history
If the subject line is '...' the strbuf will be accessed before the
first dot is added; potentially changing the strbuf passed into the
function or accessing sb->buf[-1] if it was originally empty.

Reported-by: René Scharfe <rene.scharfe@lsrfire.ath.cx>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
  • Loading branch information
Stephen Boyd authored and Junio C Hamano committed Apr 1, 2009
1 parent b09b868 commit 871d21d
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions pretty.c
Original file line number Diff line number Diff line change
Expand Up @@ -502,6 +502,7 @@ static int istitlechar(char c)
static void format_sanitized_subject(struct strbuf *sb, const char *msg)
{
size_t trimlen;
size_t start_len = sb->len;
int space = 2;

for (; *msg && *msg != '\n'; msg++) {
Expand All @@ -519,8 +520,9 @@ static void format_sanitized_subject(struct strbuf *sb, const char *msg)

/* trim any trailing '.' or '-' characters */
trimlen = 0;
while (sb->buf[sb->len - 1 - trimlen] == '.'
|| sb->buf[sb->len - 1 - trimlen] == '-')
while (sb->len - trimlen > start_len &&
(sb->buf[sb->len - 1 - trimlen] == '.'
|| sb->buf[sb->len - 1 - trimlen] == '-'))
trimlen++;
strbuf_remove(sb, sb->len - trimlen, trimlen);
}
Expand Down

0 comments on commit 871d21d

Please sign in to comment.