avoid segfault when reading header of malformed commits

If a commit object has a header line at the end of the
buffer that is missing its newline (or if it appears so
because the content on the header line contains a stray
NUL), then git will segfault.

Interestingly, this case is explicitly handled and we do
correctly scan the final line for the header we are looking
for. But if we don't find it, we will dereference NULL while
trying to look at the next line.

Git will never generate such a commit, but it's good to be
defensive. We could die() in such a case, but since it's
easy enough to handle it gracefully, let's just issue a
warning and continue (so you could still view such a commit
with "git show", though you might be missing headers after
the NUL).

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/pretty.c b/pretty.c
index 8688b8f2d45a493aa8b51b29f7d46b2abff7f30e..cee77e48f36560c33ff2ffe706f61acea0c16bbb 100644 (file)
--- a/pretty.c
+++ b/pretty.c
@@ -439,12 +439,14 @@ static char *get_header(const struct commit *commit, const char *key)
        int key_len = strlen(key);
        const char *line = commit->buffer;
 
-       for (;;) {
+       while (line) {
                const char *eol = strchr(line, '\n'), *next;
 
                if (line == eol)
                        return NULL;
                if (!eol) {
+                       warning("malformed commit (header is missing newline): %s",
+                               sha1_to_hex(commit->object.sha1));
                        eol = line + strlen(line);
                        next = NULL;
                } else
@@ -456,6 +458,7 @@ static char *get_header(const struct commit *commit, const char *key)
                }
                line = next;
        }
+       return NULL;
 }
 
 static char *replace_encoding_header(char *buf, const char *encoding)