Jeff King <peff@xxxxxxxx> writes:
> When we are chomping newlines from the end of a strbuf, we
> must check "sb.len != 0" before accessing "sb.buf[sb.len - 1]".
> However, this code mistakenly checks "&sb.len", which is
> always true (it is a part of an auto struct, so the address
> is always non-zero). This could lead to us accessing memory
> outside the strbuf when we read an empty file.
>
> Signed-off-by: Jeff King <peff@xxxxxxxx>
> ---
> This dates back to 8b87cfd (wt-status: move strbuf into
> read_and_strip_branch(), 2013-03-16), so it is not a bug that needs
> addressed during the -rc period.
>
> This is the most minimal fix, but I kind of wonder if it should just be
> using strbuf_rtrim (or even strbuf_trim) in the first place.
Yeah. Or strbuf_chomp(), which does not exist ;-)
It is tempting to apply this directly to maint and merge up
immediately, as there is no way this 1-byte change will break things
(of course that is not necessarily true for random 1-byte changes,
though).
It sometimes gets really hard to resist that temptation during the
pre-release freeze period.
> wt-status.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/wt-status.c b/wt-status.c
> index b54eac5..29666d0 100644
> --- a/wt-status.c
> +++ b/wt-status.c
> @@ -1140,7 +1140,7 @@ static char *read_and_strip_branch(const char *path)
> if (strbuf_read_file(&sb, git_path("%s", path), 0) <= 0)
> goto got_nothing;
>
> - while (&sb.len && sb.buf[sb.len - 1] == '\n')
> + while (sb.len && sb.buf[sb.len - 1] == '\n')
> strbuf_setlen(&sb, sb.len - 1);
> if (!sb.len)
> goto got_nothing;
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html