There is a check (size < 64) at the beginning of the function, but that only covers object+type lines. Code for parsing "tag" and "tagger" may access outside buffer. Fix it. Signed-off-by: Nguyán ThÃi Ngác Duy <pclouds@xxxxxxxxx> --- On Thu, Feb 17, 2011 at 7:43 PM, Renà Scharfe <rene.scharfe@xxxxxxxxxxxxxx> wrote: > memchr() won't notice if a negative value has been passed as third parameter > because its type is size_t, which is unsigned. Negative values are > converted to big positive ones.. I did not notice that. Fixed commit message. tag.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) diff --git a/tag.c b/tag.c index ecf7c1e..7d38cc0 100644 --- a/tag.c +++ b/tag.c @@ -97,7 +97,9 @@ int parse_tag_buffer(struct tag *item, const void *data, unsigned long size) item->tagged = NULL; } - if (prefixcmp(bufptr, "tag ")) + if (bufptr + 4 < tail && !prefixcmp(bufptr, "tag ")) + ; /* good */ + else return -1; bufptr += 4; nl = memchr(bufptr, '\n', tail - bufptr); @@ -106,7 +108,7 @@ int parse_tag_buffer(struct tag *item, const void *data, unsigned long size) item->tag = xmemdupz(bufptr, nl - bufptr); bufptr = nl + 1; - if (!prefixcmp(bufptr, "tagger ")) + if (bufptr + 7 < tail && !prefixcmp(bufptr, "tagger ")) item->date = parse_tag_date(bufptr, tail); else item->date = 0; -- 1.7.4.74.g639db -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html