> On Jan 3, 2022, at 8:56 PM, Junio C Hamano <gitster@xxxxxxxxx> wrote:
>
> "John Cai via GitGitGadget" <gitgitgadget@xxxxxxxxx> writes:
>
>> + size_t out_len;
>> + const char *val = find_header_mem(msg, len, key, &out_len);
>> +
>> + if (val == NULL)
>
> Style:
>
> if (!val)
>
>> + return NULL;
>> +
>> + if (next_line)
>> + *next_line = val + out_len + 1;
>> +
>> + return xmemdupz(val, out_len);
>> }
>>
>> /*
>> diff --git a/commit.c b/commit.c
>> index a348f085b2b..8ac32a4d7b5 100644
>> --- a/commit.c
>> +++ b/commit.c
>> @@ -1631,12 +1631,13 @@ struct commit_list **commit_list_append(struct commit *commit,
>> return &new_commit->next;
>> }
>>
>> -const char *find_commit_header(const char *msg, const char *key, size_t *out_len)
>> +const char *find_header_mem(const char *msg, size_t len,
>> + const char *key, size_t *out_len)
>> {
>> int key_len = strlen(key);
>> const char *line = msg;
>>
>> + while (line && line < msg + len) {
>> const char *eol = strchrnul(line, '\n');
>
> Between line[0] and msg[len], there may not be a LF nor NUL at all,
> and strchrnul() will scan beyond the range we were given (which is
> msg[0]..msg[len]).
>
> But that is something we share with the find_header() if I am not
> mistaken, so I am OK to leave the code as posted and leave it
> outside the scope of this series to clean it up to make it safer.
Good catch. Thanks for pointing that out-I didn’t notice it. I’ve added a NEEDSWORK
Block to this so we can address it in a later patch series.
>
> The reason why it is probably safe for the current set of callers
> (and presumably any reasonable new callers we may add later) is that
> they computed "len" by scanning the block of memory starting at (or
> before) "msg" before calling us, and we know that the block of
> memory is properly NUL-terminated. find_header() is called by
> check_nonce() and check_cert_push_options(), both of which tell
> us to scan in a strbuf, which is designed to be scannable for NUL
> safely by having an extra NUL at the end beyond the end.
>
