format_sanitized_subject: Don't trim past initial length of strbuf

If the subject line is '...' the strbuf will be accessed before the first dot is added; potentially changing the strbuf passed into the function or accessing sb->buf[-1] if it was originally empty. Reported-by: René Scharfe <rene.scharfe@lsrfire.ath.cx> Signed-off-by: Junio C Hamano <gitster@pobox.com>
16 years ago · 871d21d42e
1 changed files with 4 additions and 2 deletions
--- a/pretty.c
+++ b/pretty.c
@ -502,6 +502,7 @@ static int istitlechar(char c)
				@@ -502,6 +502,7 @@ static int istitlechar(char c)
 static void format_sanitized_subject(struct strbuf *sb, const char *msg)
 {
 	size_t trimlen;
+	size_t start_len = sb->len;
 	int space = 2;

 	for (; *msg && *msg != '\n'; msg++) {
@ -519,8 +520,9 @@ static void format_sanitized_subject(struct strbuf *sb, const char *msg)
				@@ -519,8 +520,9 @@ static void format_sanitized_subject(struct strbuf *sb, const char *msg)

 	/* trim any trailing '.' or '-' characters */
 	trimlen = 0;
-	while (sb->buf[sb->len - 1 - trimlen] == '.'
-		|| sb->buf[sb->len - 1 - trimlen] == '-')
+	while (sb->len - trimlen > start_len &&
+		(sb->buf[sb->len - 1 - trimlen] == '.'
+		|| sb->buf[sb->len - 1 - trimlen] == '-'))
 		trimlen++;
 	strbuf_remove(sb, sb->len - trimlen, trimlen);
 }