diff options
author | Stephen Boyd <bebarino@gmail.com> | 2009-03-31 16:24:38 -0700 |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2009-04-01 11:05:31 -0700 |
commit | 871d21d42e0f782b7cb111beec8c252e9aa627ff (patch) | |
tree | bfead1becb7382b905217be564a04313bad52205 | |
parent | b09b868f7fee689483d00bea3d52c0f14a80386c (diff) | |
download | git-871d21d42e0f782b7cb111beec8c252e9aa627ff.tar.gz |
format_sanitized_subject: Don't trim past initial length of strbuf
If the subject line is '...' the strbuf will be accessed before the
first dot is added; potentially changing the strbuf passed into the
function or accessing sb->buf[-1] if it was originally empty.
Reported-by: René Scharfe <rene.scharfe@lsrfire.ath.cx>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
-rw-r--r-- | pretty.c | 6 |
1 files changed, 4 insertions, 2 deletions
@@ -502,6 +502,7 @@ static int istitlechar(char c) static void format_sanitized_subject(struct strbuf *sb, const char *msg) { size_t trimlen; + size_t start_len = sb->len; int space = 2; for (; *msg && *msg != '\n'; msg++) { @@ -519,8 +520,9 @@ static void format_sanitized_subject(struct strbuf *sb, const char *msg) /* trim any trailing '.' or '-' characters */ trimlen = 0; - while (sb->buf[sb->len - 1 - trimlen] == '.' - || sb->buf[sb->len - 1 - trimlen] == '-') + while (sb->len - trimlen > start_len && + (sb->buf[sb->len - 1 - trimlen] == '.' + || sb->buf[sb->len - 1 - trimlen] == '-')) trimlen++; strbuf_remove(sb, sb->len - trimlen, trimlen); } |