To make this code independent of the hash size, verify that the length of the comment is equal to that of any supported hash algorithm. Signed-off-by: brian m. carlson <sandals@xxxxxxxxxxxxxxxxxxxx> --- builtin/get-tar-commit-id.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/builtin/get-tar-commit-id.c b/builtin/get-tar-commit-id.c index 312e44ed05..491af9202d 100644 --- a/builtin/get-tar-commit-id.c +++ b/builtin/get-tar-commit-id.c @@ -41,7 +41,8 @@ int cmd_get_tar_commit_id(int argc, const char **argv, const char *prefix) if (!skip_prefix(end, " comment=", &comment)) return 1; len -= comment - content; - if (len != GIT_SHA1_HEXSZ + 1) + if (len < 1 || !(len % 2) || + hash_algo_by_length((len - 1) / 2) == GIT_HASH_UNKNOWN) return 1; if (write_in_full(1, comment, len) < 0)