refspec: initalize refspec_item
in valid_fetch_refspec()
We allocate a `struct refspec_item` on the stack without initializing it. In particular, its `dst` and `src` members will contain some random data from the stack. When we later call `refspec_item_clear()`, it will call `free()` on those pointers. So if the call to `parse_refspec()` did not assign to them, we will be freeing some random "pointers". This is undefined behavior. To the best of my understanding, this cannot currently be triggered by user-provided data. And for what it's worth, the test-suite does not trigger this with SANITIZE=address. It can be provoked by calling `valid_fetch_refspec(":*")`. Zero the struct, as is done in other users of `struct refspec_item` by using the refspec_item_init() initialization function. Signed-off-by: Martin Ågren <martin.agren@gmail.com> Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
parent
c495fd3d1b
commit
7865d157a5
@ -194,7 +194,7 @@ void refspec_clear(struct refspec *rs)
|
||||
int valid_fetch_refspec(const char *fetch_refspec_str)
|
||||
{
|
||||
struct refspec_item refspec;
|
||||
int ret = parse_refspec(&refspec, fetch_refspec_str, REFSPEC_FETCH);
|
||||
int ret = refspec_item_init(&refspec, fetch_refspec_str, REFSPEC_FETCH);
|
||||
refspec_item_clear(&refspec);
|
||||
return ret;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user