From 855942528e892cff3cadb4eb1c4cf1d2a7cd83de Mon Sep 17 00:00:00 2001 From: =?utf8?q?Nguy=E1=BB=85n=20Th=C3=A1i=20Ng=E1=BB=8Dc=20Duy?= Date: Mon, 14 Feb 2011 20:02:51 +0700 Subject: [PATCH] parse_tag_buffer(): do not prefixcmp() out of range MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit There is a check (size < 64) at the beginning of the function, but that only covers object+type lines. Signed-off-by: Nguyễn Thái Ngọc Duy Signed-off-by: Junio C Hamano --- tag.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tag.c b/tag.c index ecf7c1e9c..7d38cc0f4 100644 --- a/tag.c +++ b/tag.c @@ -97,7 +97,9 @@ int parse_tag_buffer(struct tag *item, const void *data, unsigned long size) item->tagged = NULL; } - if (prefixcmp(bufptr, "tag ")) + if (bufptr + 4 < tail && !prefixcmp(bufptr, "tag ")) + ; /* good */ + else return -1; bufptr += 4; nl = memchr(bufptr, '\n', tail - bufptr); @@ -106,7 +108,7 @@ int parse_tag_buffer(struct tag *item, const void *data, unsigned long size) item->tag = xmemdupz(bufptr, nl - bufptr); bufptr = nl + 1; - if (!prefixcmp(bufptr, "tagger ")) + if (bufptr + 7 < tail && !prefixcmp(bufptr, "tagger ")) item->date = parse_tag_date(bufptr, tail); else item->date = 0; -- 2.26.2