On Fri, Oct 28, 2022 at 03:29:33PM -0700, Martin Englund wrote: > What did you do before the bug happened? (Steps to reproduce your issue) > I created a signed tag (git tag -s) using a ssh-agent key and then ran > git tag -l --format '%(contents:body)' v0.6.1 > > What did you expect to happen? (Expected behavior) > I get the output > > What happened instead? (Actual behavior) > fatal: Out of memory, malloc failed (tried to allocate > 18446744073709551266 bytes) Thanks for the report. This looks like pointer or size_t arithmetic that has gone negative. Here's a minimal reproduction: { echo subject echo "-----BEGIN PGP SIGNATURE-----" } | git tag -F - foo git tag -l --format='%(contents:body)' foo The issue isn't unique to pgp signatures; the problem is in the parsing done by ref-filter's find_subpos(), so any signature type exhibits the problem. At the end of that function we do: *nonsiglen = sigstart - buf; but "buf" has moved beyond "sigstart". Presumably because it uses strstr() to look for end-of-line in buf. Since there isn't one before the signature begins, we go to the end of the signature. The bug bisects to 9f75ce3d8f (ref-filter: handle CRLF at end-of-line more gracefully, 2020-10-29). Before then, I think our loop was careful about moving past the start of the signature. Author cc'd. -Peff