There is a check (size < 64) at the beginning of the function, but that only covers object+type lines. Strictly speaking the current code is still correct even if it accesses outside 'data' because 'tail' is used right after prefixcmp() calls. Anyway accessing out of range is not good. Avoid it. Signed-off-by: Nguyán ThÃi Ngác Duy <pclouds@xxxxxxxxx> --- Unfortunately I installed valgrind but could not reproduce t9350.15 failure. Another option is to add prefixncmp(const char *, const char *,int). Probably not worth it. tag.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) diff --git a/tag.c b/tag.c index ecf7c1e..9318ae5 100644 --- a/tag.c +++ b/tag.c @@ -97,7 +97,9 @@ int parse_tag_buffer(struct tag *item, const void *data, unsigned long size) item->tagged = NULL; } - if (prefixcmp(bufptr, "tag ")) + if (bufptr + 4 < tail && !prefixcmp(bufptr, "tag ")) + ; /* good */ + else return -1; bufptr += 4; nl = memchr(bufptr, '\n', tail - bufptr); @@ -106,7 +108,7 @@ int parse_tag_buffer(struct tag *item, const void *data, unsigned long size) item->tag = xmemdupz(bufptr, nl - bufptr); bufptr = nl + 1; - if (!prefixcmp(bufptr, "tagger ")) + if (bufptr + 7 < tail && !prefixcmp(bufptr, "tagger ")) item->date = parse_tag_date(bufptr, tail); else item->date = 0; -- 1.7.4.74.g639db -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html