![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
| author | René Scharfe <rene.scharfe@lsrfire.ath.cx> | |
| Sat, 31 Jan 2009 14:39:10 +0000 (15:39 +0100) | ||
| committer | Junio C Hamano <gitster@pobox.com> | |
| Sat, 31 Jan 2009 18:39:55 +0000 (10:39 -0800) | ||
| commit | c7cddc1a2f365e4f4aea71b700c0b833eb436fee | |
| tree | bef2c12a4203ddd03aa27def6bc1fe8fefc8e451 | tree | snapshot |
| parent | 915308b187bdaba9ad1c6c3dea7b2b4b200b4796 | commit | diff |
merge: fix out-of-bounds memory access
The parameter n of unpack_callback() can have a value of up to
MAX_UNPACK_TREES. The check at the top of unpack_trees() (its only
(indirect) caller) makes sure it cannot exceed this limit.
unpack_callback() passes it and the array src to unpack_nondirectories(),
which has this loop:
for (i = 0; i < n; i++) {
/* ... */
src[i + o->merge] = o->df_conflict_entry;
o->merge can be 0 or 1, so unpack_nondirectories() potentially accesses
the array src at index MAX_UNPACK_TREES. This patch makes it big enough.
Reported-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: René Scharfe <rene.scharfe@lsrfire.ath.cx>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
The parameter n of unpack_callback() can have a value of up to
MAX_UNPACK_TREES. The check at the top of unpack_trees() (its only
(indirect) caller) makes sure it cannot exceed this limit.
unpack_callback() passes it and the array src to unpack_nondirectories(),
which has this loop:
for (i = 0; i < n; i++) {
/* ... */
src[i + o->merge] = o->df_conflict_entry;
o->merge can be 0 or 1, so unpack_nondirectories() potentially accesses
the array src at index MAX_UNPACK_TREES. This patch makes it big enough.
Reported-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: René Scharfe <rene.scharfe@lsrfire.ath.cx>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
| unpack-trees.c | diff | blob | history |