We allocate a `struct refspec_item` on the stack without initializing
it. In particular, its `dst` and `src` members will contain some random
data from the stack. When we later call `refspec_item_clear()`, it will
call `free()` on those pointers. So if the call to `parse_refspec()` did
not assign to them, we will be freeing some random "pointers". This is
undefined behavior.
To the best of my understanding, this cannot currently be triggered by
user-provided data. And for what it's worth, the test-suite does not
trigger this with SANITIZE=address. It can be provoked by calling
`valid_fetch_refspec(":*")`.
Zero the struct, as is done in other users of `struct refspec_item`.
Signed-off-by: Martin Ågren <martin.agren@xxxxxxxxx>
---
I found some time to look into this. It does not seem to be a
user-visible bug, so not particularly critical.
refspec.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/refspec.c b/refspec.c
index ada7854f7a..7dd7e361e5 100644
--- a/refspec.c
+++ b/refspec.c
@@ -189,7 +189,10 @@ void refspec_clear(struct refspec *rs)
int valid_fetch_refspec(const char *fetch_refspec_str)
{
struct refspec_item refspec;
- int ret = parse_refspec(&refspec, fetch_refspec_str, REFSPEC_FETCH);
+ int ret;
+
+ memset(&refspec, 0, sizeof(refspec));
+ ret = parse_refspec(&refspec, fetch_refspec_str, REFSPEC_FETCH);
refspec_item_clear(&refspec);
return ret;
}
--
2.18.0.rc0.43.gb85e7bcbff
