There are a number of places in the code where we call
xsnprintf(), with the assumption that the output will fit into
the buffer. If the buffer is small, then git die.
In many places buffers have compile-time size, but generated string
depends from current system locale (gettext)and can have size
greater the buffer.
Just run "LANG=ru_RU.UTF8 git bisect start v4.9 v4.8"
on linux sources - it impossible.
git_psprintf is similar to the standard C sprintf() function
but safer, since it calculates the maximum space required
and allocates memory to hold the result.
The returned string should be freed with free() when no longer needed.
Signed-off-by: Maxim Moseychuk <franchesko.salias.hudro.pedros@xxxxxxxxx>
---
git-compat-util.h | 3 +++
wrapper.c | 19 +++++++++++++++++++
2 files changed, 22 insertions(+)
diff --git a/git-compat-util.h b/git-compat-util.h
index 87237b092..fa98705d0 100644
--- a/git-compat-util.h
+++ b/git-compat-util.h
@@ -878,6 +878,9 @@ static inline size_t xsize_t(off_t len)
return (size_t)len;
}
+__attribute__((format (printf, 1, 2)))
+extern char *git_psprintf(const char *fmt, ...);
+
__attribute__((format (printf, 3, 4)))
extern int xsnprintf(char *dst, size_t max, const char *fmt, ...);
diff --git a/wrapper.c b/wrapper.c
index e7f197996..deee46d2d 100644
--- a/wrapper.c
+++ b/wrapper.c
@@ -635,6 +635,25 @@ char *xgetcwd(void)
return strbuf_detach(&sb, NULL);
}
+char *git_psprintf(const char *fmt, ...)
+{
+ va_list ap;
+ int len;
+ char *dst;
+
+ va_start(ap, fmt);
+ len = vsnprintf(NULL, 0, fmt, ap);
+ va_end(ap);
+
+ dst = xmallocz(len);
+
+ va_start(ap, fmt);
+ vsprintf(dst, fmt, ap);
+ va_end(ap);
+
+ return dst;
+}
+
int xsnprintf(char *dst, size_t max, const char *fmt, ...)
{
va_list ap;
--
2.11.1