From: René Scharfe Date: Sat, 31 Jan 2009 14:39:10 +0000 (+0100) Subject: merge: fix out-of-bounds memory access X-Git-Tag: v1.6.1.3~1^2~9 X-Git-Url: https://git.tokkee.org/?a=commitdiff_plain;h=c7cddc1a2f365e4f4aea71b700c0b833eb436fee;p=git.git merge: fix out-of-bounds memory access The parameter n of unpack_callback() can have a value of up to MAX_UNPACK_TREES. The check at the top of unpack_trees() (its only (indirect) caller) makes sure it cannot exceed this limit. unpack_callback() passes it and the array src to unpack_nondirectories(), which has this loop: for (i = 0; i < n; i++) { /* ... */ src[i + o->merge] = o->df_conflict_entry; o->merge can be 0 or 1, so unpack_nondirectories() potentially accesses the array src at index MAX_UNPACK_TREES. This patch makes it big enough. Reported-by: Ingo Molnar Signed-off-by: René Scharfe Signed-off-by: Junio C Hamano --- diff --git a/unpack-trees.c b/unpack-trees.c index 54f301da6..4229eec12 100644 --- a/unpack-trees.c +++ b/unpack-trees.c @@ -240,8 +240,11 @@ static struct cache_entry *create_ce_entry(const struct traverse_info *info, con return ce; } -static int unpack_nondirectories(int n, unsigned long mask, unsigned long dirmask, struct cache_entry *src[5], - const struct name_entry *names, const struct traverse_info *info) +static int unpack_nondirectories(int n, unsigned long mask, + unsigned long dirmask, + struct cache_entry **src, + const struct name_entry *names, + const struct traverse_info *info) { int i; struct unpack_trees_options *o = info->data; @@ -291,7 +294,7 @@ static int unpack_nondirectories(int n, unsigned long mask, unsigned long dirmas static int unpack_callback(int n, unsigned long mask, unsigned long dirmask, struct name_entry *names, struct traverse_info *info) { - struct cache_entry *src[5] = { NULL, }; + struct cache_entry *src[MAX_UNPACK_TREES + 1] = { NULL, }; struct unpack_trees_options *o = info->data; const struct name_entry *p = names;