Martin Koegler <mkoegler@xxxxxxxxxxxxxxxxx> writes:
> Signed-off-by: Martin Koegler <mkoegler@xxxxxxxxxxxxxxxxx>
> ---
> commit.c | 28 +++++++++++++++++++++-------
> 1 files changed, 21 insertions(+), 7 deletions(-)
>
> diff --git a/commit.c b/commit.c
> index f074811..ffa0894 100644
> --- a/commit.c
> +++ b/commit.c
> @@ -48,19 +48,33 @@ struct commit *lookup_commit(const unsigned char *sha1)
> return check_commit(obj, sha1, 0);
> }
>
> -static unsigned long parse_commit_date(const char *buf)
> +static unsigned long parse_commit_date(const char *buf, const char* tail)
Should be "const char *tail" in our codebase.
> {
> unsigned long date;
> + char datebuf[20];
> + unsigned long len;
>
> + if (buf + 6 >= tail)
> + return 0;
> if (memcmp(buf, "author", 6))
> return 0;
Even though buf, which is a result from read_sha1_file(), is
always terminated with an extra NUL (outside its object size),
if a bogus commit object ends with "author" (and without the
author information) this part will pass, and ...
> - while (*buf++ != '\n')
> + while (buf < tail && *buf++ != '\n')
> /* nada */;
> + if (buf + 9 >= tail)
> + return 0;
... you catch that here. That seems like a good change.
> if (memcmp(buf, "committer", 9))
> return 0;
> - while (*buf++ != '>')
> + while (buf < tail && *buf++ != '>')
> /* nada */;
> - date = strtoul(buf, NULL, 10);
> + if (buf >= tail)
> + return 0;
Likewise here.
> + len = tail - buf;
> + if (len > sizeof(datebuf) - 1)
> + len = sizeof(datebuf) - 1;
Broken indentation.
> + memcpy(datebuf, buf, len);
> + datebuf[len] = 0;
> + date = strtoul(datebuf, NULL, 10);
However, as long as buf at this point hasn't go beyond tail,
which you already checked, I think we can rely on strtoul()
stopping at the NUL at the end of buffer (that is one beyond
tail), without this extra memcpy(). Am I mistaken?
> @@ -236,9 +250,9 @@ int parse_commit_buffer(struct commit *item, void *buffer, unsigned long size)
> return 0;
> item->object.parsed = 1;
> tail += size;
> - if (tail <= bufptr + 5 || memcmp(bufptr, "tree ", 5))
> + if (tail <= bufptr + 46 || memcmp(bufptr, "tree ", 5) || bufptr[45] != '\n')
> return error("bogus commit object %s", sha1_to_hex(item->object.sha1));
> - if (tail <= bufptr + 45 || get_sha1_hex(bufptr + 5, parent) < 0)
> + if (get_sha1_hex(bufptr + 5, parent) < 0)
> return error("bad tree pointer in commit %s",
> sha1_to_hex(item->object.sha1));
> item->tree = lookup_tree(parent);
This hunk is logically a no-op but I like your version better.
It also makes sure tree object name is terminated with a LF.
> @@ -275,7 +289,7 @@ int parse_commit_buffer(struct commit *item, void *buffer, unsigned long size)
> n_refs++;
> }
> }
> - item->date = parse_commit_date(bufptr);
> + item->date = parse_commit_date(bufptr, tail);
>
> if (track_object_refs) {
> unsigned i = 0;
> --
> 1.4.4.4
When already somewhat deep in the rc cycle, looking at a patch
from somebody who uses 1.4.4.4 makes me look at the patch a bit
more carefully than usual ;-)
-
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
