want_color_fd() is designed to work only with standard input, output,
and error file descriptors, and stores information about each descriptor
in an array. However, it doesn't verify that the passed-in descriptor
lives within that set, which, with a buggy caller, could lead to
access/assignment outside the array bounds.
Signed-off-by: Eric Sunshine <sunshine@xxxxxxxxxxxxxx>
---
Just something I noticed while studying this code in relation to a patch
review.
color.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/color.c b/color.c
index b1c24c69de..b0be9ce505 100644
--- a/color.c
+++ b/color.c
@@ -343,6 +343,9 @@ int want_color_fd(int fd, int var)
static int want_auto[3] = { -1, -1, -1 };
+ if (fd < 0 || fd >= ARRAY_SIZE(want_auto))
+ BUG("file descriptor out of range: %d", fd);
+
if (var < 0)
var = git_use_color_default;
--
2.18.0.599.g4ce2a8faa4.dirty
