Junio C Hamano <gitster@xxxxxxxxx> writes: > Good that your attempt to signature-changing change caught it. I'll > take a further look. So here are two patch series. The first one makes sure all callers of parse_sha1_header() check the returned status. -- >8 -- From: Junio C Hamano <gitster@xxxxxxxxx> Date: Mon, 26 Sep 2016 09:23:41 -0700 Subject: [PATCH 1/2] streaming: make sure to notice corrupt object The streaming read interface from a loose object called parse_sha1_header() but discarded its return value, without noticing a potential error. Signed-off-by: Junio C Hamano <gitster@xxxxxxxxx> --- streaming.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/streaming.c b/streaming.c index 811fcc2..884a8f1 100644 --- a/streaming.c +++ b/streaming.c @@ -347,7 +347,8 @@ static open_method_decl(loose) return -1; } - parse_sha1_header(st->u.loose.hdr, &st->size); + if (parse_sha1_header(st->u.loose.hdr, &st->size) < 0) + return -1; st->u.loose.hdr_used = strlen(st->u.loose.hdr) + 1; st->u.loose.hdr_avail = st->z.total_out; st->z_state = z_used; -- 2.10.0-533-ga18d90d