check_one_conflict() compares `i` to `active_nr` in two places to avoid buffer overruns, but left out an important third location. This has not previously been a problem, because existing merge strategies have tended to not create entries at stage #1 that do not have a corresponding entry at either stage #2 or stage #3. However, this is not guaranteed, so add a check to avoid segfaults. Signed-off-by: Elijah Newren <newren@xxxxxxxxx> --- rerere.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rerere.c b/rerere.c index 16c8aac621..7d22fb08c7 100644 --- a/rerere.c +++ b/rerere.c @@ -533,7 +533,7 @@ static int check_one_conflict(int i, int *type) } *type = PUNTED; - while (ce_stage(active_cache[i]) == 1) + while (i < active_nr && ce_stage(active_cache[i]) == 1) i++; /* Only handle regular files with both stages #2 and #3 */ -- 2.18.0.550.g44d6daf40a.dirty
