diff options
| author | Patrick Steinhardt <ps@pks.im> | 2025-01-10 12:26:17 +0100 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2025-01-10 06:56:54 -0800 |
| commit | 1fbb8d7ecb7bd78ac55d226b6b073372a5ea2c2d (patch) | |
| tree | fbcd303384259bcd2a756f0ab73c030012029f59 /t/helper/test-string-list.c | |
| parent | t/helper: don't depend on implicit wraparound (diff) | |
| download | git-1fbb8d7ecb7bd78ac55d226b6b073372a5ea2c2d.tar.gz git-1fbb8d7ecb7bd78ac55d226b6b073372a5ea2c2d.zip | |
builtin/blame: fix out-of-bounds read with excessive `--abbrev`
In 6411a0a896 (builtin/blame: fix type of `length` variable when
emitting object ID, 2024-12-06) we have fixed the type of the `length`
variable. In order to avoid a cast from `size_t` to `int` in the call to
printf(3p) with the "%.*s" formatter we have converted the code to
instead use fwrite(3p), which accepts the length as a `size_t`.
It was reported though that this makes us read over the end of the OID
array when the provided `--abbrev=` length exceeds the length of the
object ID. This is because fwrite(3p) of course doesn't stop when it
sees a NUL byte, whereas printf(3p) does.
Fix the bug by reverting back to printf(3p) and culling the provided
length to `GIT_MAX_HEXSZ` to keep it from overflowing when cast to an
`int`.
Reported-by: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Signed-off-by: Patrick Steinhardt <ps@pks.im>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 't/helper/test-string-list.c')
0 files changed, 0 insertions, 0 deletions