Hi Eric,
On Thu, 2 Aug 2018, Eric Sunshine wrote:
> want_color_fd() is designed to work only with standard input, output,
> and error file descriptors, and stores information about each descriptor
> in an array. However, it doesn't verify that the passed-in descriptor
> lives within that set, which, with a buggy caller, could lead to
> access/assignment outside the array bounds.
ACK!
Thanks,
Dscho
>
> Signed-off-by: Eric Sunshine <sunshine@xxxxxxxxxxxxxx>
> ---
>
> Just something I noticed while studying this code in relation to a patch
> review.
>
> color.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/color.c b/color.c
> index b1c24c69de..b0be9ce505 100644
> --- a/color.c
> +++ b/color.c
> @@ -343,6 +343,9 @@ int want_color_fd(int fd, int var)
>
> static int want_auto[3] = { -1, -1, -1 };
>
> + if (fd < 0 || fd >= ARRAY_SIZE(want_auto))
> + BUG("file descriptor out of range: %d", fd);
> +
> if (var < 0)
> var = git_use_color_default;
>
> --
> 2.18.0.599.g4ce2a8faa4.dirty
>
>
