If the subject line is '...' the strbuf will be accessed before the
first dot is added; potentially changing the strbuf passed into the
function or accessing sb->buf[-1] if it was originally empty.
Reported-by: René Scharfe <rene.scharfe@xxxxxxxxxxxxxx>
---
I was thinking about this today actually. Thanks.
With regards to the isalnum(), I kept the original code because I wasn't sure
if the functionality would be different.
pretty.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/pretty.c b/pretty.c
index c57cef4..a0ef356 100644
--- a/pretty.c
+++ b/pretty.c
@@ -502,6 +502,7 @@ static int istitlechar(char c)
static void format_sanitized_subject(struct strbuf *sb, const char *msg)
{
size_t trimlen;
+ size_t start_len = sb->len;
int space = 2;
for (; *msg && *msg != '\n'; msg++) {
@@ -519,8 +520,9 @@ static void format_sanitized_subject(struct strbuf *sb, const char *msg)
/* trim any trailing '.' or '-' characters */
trimlen = 0;
- while (sb->buf[sb->len - 1 - trimlen] == '.'
- || sb->buf[sb->len - 1 - trimlen] == '-')
+ while (sb->len - trimlen > start_len &&
+ (sb->buf[sb->len - 1 - trimlen] == '.'
+ || sb->buf[sb->len - 1 - trimlen] == '-'))
trimlen++;
strbuf_remove(sb, sb->len - trimlen, trimlen);
}
--
1.6.2
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
