diff: avoid stack-buffer-read-overrun for very long name
authorJim Meyering <jim@meyering.net>
Mon, 16 Apr 2012 15:20:02 +0000 (17:20 +0200)
committerJunio C Hamano <gitster@pobox.com>
Mon, 16 Apr 2012 17:10:25 +0000 (10:10 -0700)
Due to the use of strncpy without explicit NUL termination,
we could end up passing names n1 or n2 that are not NUL-terminated
to queue_diff, which requires NUL-terminated strings.
Ensure that each is NUL terminated.

Signed-off-by: Jim Meyering <meyering@redhat.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
diff-no-index.c

index 3a36144687ae2f5bf7bb3afc914ddbada8d5ff93..5cd3ff5848c1ad913c7802a157c61df42a0e9269 100644 (file)
@@ -109,6 +109,7 @@ static int queue_diff(struct diff_options *o,
                                n1 = buffer1;
                                strncpy(buffer1 + len1, p1.items[i1++].string,
                                                PATH_MAX - len1);
+                               buffer1[PATH_MAX-1] = 0;
                        }
 
                        if (comp < 0)
@@ -117,6 +118,7 @@ static int queue_diff(struct diff_options *o,
                                n2 = buffer2;
                                strncpy(buffer2 + len2, p2.items[i2++].string,
                                                PATH_MAX - len2);
+                               buffer2[PATH_MAX-1] = 0;
                        }
 
                        ret = queue_diff(o, n1, n2);