Am 01.11.2015 um 18:50 schrieb Junio C Hamano:
René Scharfe <l.s.r@xxxxxx> writes:
If we're on a detached HEAD then wt_shortstatus_print_tracking() takes
the string "HEAD (no branch)", translates it, skips the first eleven
characters and passes the result to branch_get(), which returns a bogus
result and accesses memory out of bounds in order to produce it.
The fix is correct, but the above explanation looks "not quite" to
me.
That "HEAD (no branch)" thing is in a separate branch_name variable
that is not involved in the actual computation (i.e. call to
branch_get()).
The function gets "HEAD" in s->branch, uses that and skips the first
eleven characters (i.e. beyond the end of that string), lets
branch_get() to return a garbage and likely missing branch, finds
that nobody tracks that, and does the right thing anyway. If the
garbage past the end of the "HEAD" happens to have a name of an
existing branch, we would get an incorrect result.
Ah, yes. This came from an earlier round which had patch 3 and 4
reversed, causing the translated string to be passed to branch_get().
Thanks for catching the commit message inconsistency!
René
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html