From: Nguyễn Thái Ngọc Duy Date: Wed, 20 Jan 2010 14:09:16 +0000 (+0700) Subject: Fix memory corruption when .gitignore does not end by \n X-Git-Tag: v1.7.0-rc0~25^2 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=45d76f17182278d4c1de37b3eed60beb3b2f21ab;p=git.git Fix memory corruption when .gitignore does not end by \n Commit b5041c5 (Avoid writing to buffer in add_excludes_from_file_1()) tried not to append '\n' at the end because the next commit may return a buffer that does not have extra space for that. Unfortunately it left this assignment in the loop: buf[i - (i && buf[i-1] == '\r')] = 0; that can corrupt memory if "buf" is not '\n' terminated. But even if it does not corrupt memory, the last line would not be NULL-terminated, leading to errors later inside add_exclude(). This patch fixes it by reverting the faulty commit and make sure "buf" is always \n terminated. While at it, free unused memory properly. Signed-off-by: Nguyễn Thái Ngọc Duy Signed-off-by: Junio C Hamano --- diff --git a/dir.c b/dir.c index 1538ad5da..67c3af6a1 100644 --- a/dir.c +++ b/dir.c @@ -242,6 +242,14 @@ int add_excludes_from_file_to_list(const char *fname, if (!check_index || (buf = read_skip_worktree_file_from_index(fname, &size)) == NULL) return -1; + if (size == 0) { + free(buf); + return 0; + } + if (buf[size-1] != '\n') { + buf = xrealloc(buf, size+1); + buf[size++] = '\n'; + } } else { size = xsize_t(st.st_size); @@ -249,19 +257,21 @@ int add_excludes_from_file_to_list(const char *fname, close(fd); return 0; } - buf = xmalloc(size); + buf = xmalloc(size+1); if (read_in_full(fd, buf, size) != size) { + free(buf); close(fd); return -1; } + buf[size++] = '\n'; close(fd); } if (buf_p) *buf_p = buf; entry = buf; - for (i = 0; i <= size; i++) { - if (i == size || buf[i] == '\n') { + for (i = 0; i < size; i++) { + if (buf[i] == '\n') { if (entry != buf + i && entry[0] != '#') { buf[i - (i && buf[i-1] == '\r')] = 0; add_exclude(entry, base, baselen, which);