The buffer in the postimage may become too small when whitespace fixes are applied to the patch and update_pre_post_images might write past the end of the buffer. Teach the code to reallocate the buffer if needed. When it comes time to free the buffer, do it directly on postimage.buf instead of the newlines strbuf. Signed-off-by: Carlos Martín Nieto <cmn@xxxxxxxx> --- This was reported on IRC. Reproduction steps are at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663338 and it involves applying a patch whilst fixing whitespace changes. Blame says Junio and Giuseppe were the last ones to touch this part of the code, so there you go. While this seems like a reasonable fix to me, it's the first time I've looked at this part of the code, so there might be a better way of growing the buffer to its final size. I considered adding a loop at the beginning to determine the final size, but I'm unsure about which lines actually get skipped. builtin/apply.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/builtin/apply.c b/builtin/apply.c index 389898f..8899b09 100644 --- a/builtin/apply.c +++ b/builtin/apply.c @@ -2003,10 +2003,12 @@ static void update_pre_post_images(struct image *preimage, * in place (postlen==0) or not. */ old = postimage->buf; - if (postlen) + if (postlen) { new = postimage->buf = xmalloc(postlen); - else + postimage->alloc = postlen; + } else { new = old; + } fixed = preimage->buf; for (i = ctx = 0; i < postimage->nr; i++) { size_t len = postimage->line[i].len; @@ -2032,6 +2034,13 @@ static void update_pre_post_images(struct image *preimage, /* and copy it in, while fixing the line length */ len = preimage->line[ctx].len; + if (postimage->alloc < (new - postimage->buf) + len) { + size_t post_len = new - postimage->buf; + postimage->buf = xrealloc(postimage->buf, post_len + len); + postimage->alloc = post_len + len; + new = postimage->buf + post_len; + } + memcpy(new, fixed, len); new += len; fixed += len; @@ -2594,6 +2603,7 @@ static int apply_one_fragment(struct image *img, struct fragment *frag, preimage.len = old - oldlines; postimage.buf = newlines.buf; postimage.len = newlines.len; + postimage.alloc = newlines.alloc; preimage.line = preimage.line_allocated; postimage.line = postimage.line_allocated; @@ -2679,7 +2689,7 @@ static int apply_one_fragment(struct image *img, struct fragment *frag, } free(oldlines); - strbuf_release(&newlines); + free(postimage.buf); free(preimage.line_allocated); free(postimage.line_allocated); -- 1.7.10.rc0.17.g74595 -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html