kernel
/
git
mirror of https://git.kernel.org/pub/scm/git/git.git
1
0
Fork 0
Code Releases Activity

format_sanitized_subject: Don't trim past initial length of strbuf 

If the subject line is '...' the strbuf will be accessed before the
first dot is added; potentially changing the strbuf passed into the
function or accessing sb->buf[-1] if it was originally empty.

Reported-by: René Scharfe <rene.scharfe@lsrfire.ath.cx>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
maint
Stephen Boyd 2009-03-31 16:24:38 -07:00 committed by Junio C Hamano
parent b09b868f7f
commit 871d21d42e
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pretty.c
View File

@ -502,6 +502,7 @@ static int istitlechar(char c)
static void format_sanitized_subject(struct strbuf *sb, const char *msg) static void format_sanitized_subject(struct strbuf *sb, const char *msg)
{ {
size_t trimlen; size_t trimlen;
size_t start_len = sb->len;
int space = 2; int space = 2;


for (; *msg && *msg != '\n'; msg++) { for (; *msg && *msg != '\n'; msg++) {
@ -519,8 +520,9 @@ static void format_sanitized_subject(struct strbuf *sb, const char *msg)


/* trim any trailing '.' or '-' characters */ /* trim any trailing '.' or '-' characters */
trimlen = 0; trimlen = 0;
while (sb->buf[sb->len - 1 - trimlen] == '.' while (sb->len - trimlen > start_len &&
|| sb->buf[sb->len - 1 - trimlen] == '-') (sb->buf[sb->len - 1 - trimlen] == '.'
|| sb->buf[sb->len - 1 - trimlen] == '-'))
trimlen++; trimlen++;
strbuf_remove(sb, sb->len - trimlen, trimlen); strbuf_remove(sb, sb->len - trimlen, trimlen);
} }