On Sat, Aug 18, 2018 at 09:16:28AM -0700, Junio C Hamano wrote: > -- >8 -- > Subject: [PATCH] sideband: do not read beyond the end of input > > The caller of maybe_colorize_sideband() gives a counted buffer > <src, n>, but the callee checked src[] as if it were a NUL terminated > buffer. If src[] had all isspace() bytes in it, we would have made > n negative, and then > > (1) made number of strncasecmp() calls to see if the remaining > bytes in src[] matched keywords, reading beyond the end of the > array (this actually happens even if n does not go negative), > and/or > > (2) called strbuf_add() with negative count, most likely triggering > the "you want to use way too much memory" error due to unsigned > integer overflow. > > Fix both issues by making sure we do not go beyond &src[n]. Thanks. I've been sporadically seeing "fatal: you want to use way too much memory" the last few days while running 'next', and finally managed to catch a reproducible case. This patch definitely fixes it. > In the longer term we may want to accept size_t as parameter for > clarity (even though we know that a sideband message we are painting > typically would fit on a line on a terminal and int is sufficient). > Write it down as a NEEDSWORK comment. This "typically" made me nervous about what happens in the non-typical case, but I think we can say something even stronger: the length comes from a pktline, so the maximum is less than 16 bits. I wondered if we might ever call this on the accumulated string from multiple sidebands, but it doesn't look like it. -Peff
