From: Junio C Hamano <gitster@pobox.com>
To: Elijah Newren <newren@gmail.com>
Cc: git@vger.kernel.org
Subject: Re: [PATCHv2 2/2] rerere: avoid buffer overrun
Date: Tue, 11 Sep 2018 13:45:00 -0700 [thread overview]
Message-ID: <xmqqd0tjojar.fsf@gitster-ct.c.googlers.com> (raw)
In-Reply-To: <20180911185546.10449-3-newren@gmail.com> (Elijah Newren's message of "Tue, 11 Sep 2018 11:55:46 -0700")
Elijah Newren <newren@gmail.com> writes:
> check_one_conflict() compares `i` to `active_nr` in two places to avoid
> buffer overruns, but left out an important third location.
>
> The code did used to have a check here comparing i to active_nr, back
> before commit fb70a06da2f1 ("rerere: fix an off-by-one non-bug",
> 2015-06-28), however the code at the time used an 'if' rather than a
> 'while' meaning back then that this loop could not have read past the
> end of the array, making the check unnecessary and it was removed.
> Unfortunately, in commit 5eda906b2873 ("rerere: handle conflicts with
> multiple stage #1 entries", 2015-07-24), the 'if' was changed to a
> 'while' and the check comparing i and active_nr was not re-instated,
> leading to this problem.
>
> Signed-off-by: Elijah Newren <newren@gmail.com>
> ---
Thanks. Looks good to me.
> rerere.c | 2 +-
> t/t4200-rerere.sh | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/rerere.c b/rerere.c
> index c7787aa07f..783d4dae2a 100644
> --- a/rerere.c
> +++ b/rerere.c
> @@ -533,7 +533,7 @@ static int check_one_conflict(int i, int *type)
> }
>
> *type = PUNTED;
> - while (ce_stage(active_cache[i]) == 1)
> + while (i < active_nr && ce_stage(active_cache[i]) == 1)
> i++;
>
> /* Only handle regular files with both stages #2 and #3 */
> diff --git a/t/t4200-rerere.sh b/t/t4200-rerere.sh
> index f9294b7677..313222d0d6 100755
> --- a/t/t4200-rerere.sh
> +++ b/t/t4200-rerere.sh
> @@ -596,7 +596,7 @@ test_expect_success 'setup simple stage 1 handling' '
> )
> '
>
> -test_expect_failure 'test simple stage 1 handling' '
> +test_expect_success 'test simple stage 1 handling' '
> (
> cd stage_1_handling &&
prev parent reply other threads:[~2018-09-11 20:45 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-05 17:56 [PATCH] rerere: avoid buffer overrun Elijah Newren
2018-09-11 18:55 ` [PATCHv2 0/2] Fix rerere segfault with specially crafted merge Elijah Newren
2018-09-11 18:55 ` [PATCHv2 1/2] t4200: demonstrate rerere segfault on " Elijah Newren
2018-09-11 18:55 ` [PATCHv2 2/2] rerere: avoid buffer overrun Elijah Newren
2018-09-11 20:45 ` Junio C Hamano [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqd0tjojar.fsf@gitster-ct.c.googlers.com \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=newren@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.