![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
| author | Jim Meyering <jim@meyering.net> | |
| Fri, 20 May 2011 17:20:12 +0000 (19:20 +0200) | ||
| committer | Junio C Hamano <gitster@pobox.com> | |
| Fri, 20 May 2011 18:39:49 +0000 (11:39 -0700) | ||
| commit | 42536dd9b9829b4eb4e3706e141b3c8bffa3e826 | |
| tree | db640fa331f2b513c593eda286400c2086c9ec5a | tree | snapshot |
| parent | 5269edf1702b7375a287d5bbbb3c1b1f3a8aa765 | commit | diff |
do not read beyond end of malloc'd buffer
With diff.suppress-blank-empty=true, "git diff --word-diff" would
output data that had been read from uninitialized heap memory.
The problem was that fn_out_consume did not account for the
possibility of a line with length 1, i.e., the empty context line
that diff.suppress-blank-empty=true converts from " \n" to "\n".
Since it assumed there would always be a prefix character (the space),
it decremented "len" unconditionally, thus passing len=0 to emit_line,
which would then blindly call emit_line_0 with len=-1 which would
pass that value on to fwrite as SIZE_MAX. Boom.
Signed-off-by: Jim Meyering <meyering@redhat.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
With diff.suppress-blank-empty=true, "git diff --word-diff" would
output data that had been read from uninitialized heap memory.
The problem was that fn_out_consume did not account for the
possibility of a line with length 1, i.e., the empty context line
that diff.suppress-blank-empty=true converts from " \n" to "\n".
Since it assumed there would always be a prefix character (the space),
it decremented "len" unconditionally, thus passing len=0 to emit_line,
which would then blindly call emit_line_0 with len=-1 which would
pass that value on to fwrite as SIZE_MAX. Boom.
Signed-off-by: Jim Meyering <meyering@redhat.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
| diff.c | diff | blob | history | |
| t/t4034-diff-words.sh | diff | blob | history |