Dimension the buffer based on PATH_MAX rather than a magic number, and
verify that the path fits in it before continuing.
Signed-off-by: Michael Haggerty <mhagger@xxxxxxxxxxxx>
---
I don't think that this problem is remotely exploitable, because the
size of the string doesn't depend on inputs that can be influenced by
a client (at least not within Git).
builtin/prune.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/builtin/prune.c b/builtin/prune.c
index 6366917..ae34d04 100644
--- a/builtin/prune.c
+++ b/builtin/prune.c
@@ -96,7 +96,9 @@ static void prune_object_dir(const char *path)
{
int i;
for (i = 0; i < 256; i++) {
- static char dir[4096];
+ static char dir[PATH_MAX + 1];
+ if (strlen(path) + 3 > PATH_MAX)
+ die("impossible object directory");
sprintf(dir, "%s/%02x", path, i);
prune_dir(i, dir);
}
--
1.8.5.1
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html