parse_tag_buffer(): do not prefixcmp() out of range

There is a check (size < 64) at the beginning of the function, but
that only covers object+type lines.

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/tag.c b/tag.c
index ecf7c1e9ce889514e04765695298ef11f28edab6..7d38cc0f4de1c16b5b52725ba7a6a361650a6b41 100644 (file)
--- a/tag.c
+++ b/tag.c
@@ -97,7 +97,9 @@ int parse_tag_buffer(struct tag *item, const void *data, unsigned long size)
                item->tagged = NULL;
        }
 
-       if (prefixcmp(bufptr, "tag "))
+       if (bufptr + 4 < tail && !prefixcmp(bufptr, "tag "))
+               ;               /* good */
+       else
                return -1;
        bufptr += 4;
        nl = memchr(bufptr, '\n', tail - bufptr);
@@ -106,7 +108,7 @@ int parse_tag_buffer(struct tag *item, const void *data, unsigned long size)
        item->tag = xmemdupz(bufptr, nl - bufptr);
        bufptr = nl + 1;
 
-       if (!prefixcmp(bufptr, "tagger "))
+       if (bufptr + 7 < tail && !prefixcmp(bufptr, "tagger "))
                item->date = parse_tag_date(bufptr, tail);
        else
                item->date = 0;