parse_tag_buffer(): do not prefixcmp() out of range
There is a check (size < 64) at the beginning of the function, but that only covers object+type lines. Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
parent
24231e063f
commit
855942528e
6
tag.c
6
tag.c
@ -97,7 +97,9 @@ int parse_tag_buffer(struct tag *item, const void *data, unsigned long size)
|
|||||||
item->tagged = NULL;
|
item->tagged = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (prefixcmp(bufptr, "tag "))
|
if (bufptr + 4 < tail && !prefixcmp(bufptr, "tag "))
|
||||||
|
; /* good */
|
||||||
|
else
|
||||||
return -1;
|
return -1;
|
||||||
bufptr += 4;
|
bufptr += 4;
|
||||||
nl = memchr(bufptr, '\n', tail - bufptr);
|
nl = memchr(bufptr, '\n', tail - bufptr);
|
||||||
@ -106,7 +108,7 @@ int parse_tag_buffer(struct tag *item, const void *data, unsigned long size)
|
|||||||
item->tag = xmemdupz(bufptr, nl - bufptr);
|
item->tag = xmemdupz(bufptr, nl - bufptr);
|
||||||
bufptr = nl + 1;
|
bufptr = nl + 1;
|
||||||
|
|
||||||
if (!prefixcmp(bufptr, "tagger "))
|
if (bufptr + 7 < tail && !prefixcmp(bufptr, "tagger "))
|
||||||
item->date = parse_tag_date(bufptr, tail);
|
item->date = parse_tag_date(bufptr, tail);
|
||||||
else
|
else
|
||||||
item->date = 0;
|
item->date = 0;
|
||||||
|
Loading…
Reference in New Issue
Block a user