read_object_with_reference: don't read beyond the buffer
authorMartin Koegler <mkoegler@auto.tuwien.ac.at>
Mon, 18 Feb 2008 20:47:52 +0000 (21:47 +0100)
committerJunio C Hamano <gitster@pobox.com>
Tue, 19 Feb 2008 03:20:17 +0000 (19:20 -0800)
Signed-off-by: Martin Koegler <mkoegler@auto.tuwien.ac.at>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
sha1_file.c

index 66a4e00fa83fd9fc853a1ba8a308b05cdc030967..0ca7f0dbc6eda54e43240a45f2cff4cf70659fbd 100644 (file)
@@ -1943,7 +1943,8 @@ void *read_object_with_reference(const unsigned char *sha1,
                }
                ref_length = strlen(ref_type);
 
-               if (memcmp(buffer, ref_type, ref_length) ||
+               if (ref_length + 40 > isize ||
+                   memcmp(buffer, ref_type, ref_length) ||
                    get_sha1_hex((char *) buffer + ref_length, actual_sha1)) {
                        free(buffer);
                        return NULL;