check_one_conflict() compares `i` to `active_nr` in two places to avoid buffer overruns, but left out an important third location. Note that this bug probably cannot be triggered in the current codebase. Existing merge strategies have tended not to create entries at stage #1 that do not have a corresponding entry at either stage #2 or stage #3. (The bug was found while exploring some ideas for modifying conflict resolution.) However, it is technically possible that an external merge strategy could create such entries, so add a check to avoid segfaults. Signed-off-by: Elijah Newren <newren@xxxxxxxxx> --- Originally submitted here: https://public-inbox.org/git/20180806224745.8681-2-newren@xxxxxxxxx/ While I want to push that RFC series more and will get back to it, this patch is independently good so I'm submitting separately. For some history about how the current code got to where it is today, see: fb70a06da2f1 ("rerere: fix an off-by-one non-bug", 2015-06-28) 5eda906b2873 ("rerere: handle conflicts with multiple stage #1 entries", 2015-07-24) rerere.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rerere.c b/rerere.c index c7787aa07f..783d4dae2a 100644 --- a/rerere.c +++ b/rerere.c @@ -533,7 +533,7 @@ static int check_one_conflict(int i, int *type) } *type = PUNTED; - while (ce_stage(active_cache[i]) == 1) + while (i < active_nr && ce_stage(active_cache[i]) == 1) i++; /* Only handle regular files with both stages #2 and #3 */ -- 2.19.0.rc2
