summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStephen Boyd <bebarino@gmail.com>2009-03-31 16:24:38 -0700
committerJunio C Hamano <gitster@pobox.com>2009-04-01 11:05:31 -0700
commit871d21d42e0f782b7cb111beec8c252e9aa627ff (patch)
treebfead1becb7382b905217be564a04313bad52205
parentb09b868f7fee689483d00bea3d52c0f14a80386c (diff)
downloadgit-871d21d42e0f782b7cb111beec8c252e9aa627ff.tar.gz
format_sanitized_subject: Don't trim past initial length of strbuf
If the subject line is '...' the strbuf will be accessed before the first dot is added; potentially changing the strbuf passed into the function or accessing sb->buf[-1] if it was originally empty. Reported-by: René Scharfe <rene.scharfe@lsrfire.ath.cx> Signed-off-by: Junio C Hamano <gitster@pobox.com>
-rw-r--r--pretty.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/pretty.c b/pretty.c
index c57cef47c9..a0ef356558 100644
--- a/pretty.c
+++ b/pretty.c
@@ -502,6 +502,7 @@ static int istitlechar(char c)
static void format_sanitized_subject(struct strbuf *sb, const char *msg)
{
size_t trimlen;
+ size_t start_len = sb->len;
int space = 2;
for (; *msg && *msg != '\n'; msg++) {
@@ -519,8 +520,9 @@ static void format_sanitized_subject(struct strbuf *sb, const char *msg)
/* trim any trailing '.' or '-' characters */
trimlen = 0;
- while (sb->buf[sb->len - 1 - trimlen] == '.'
- || sb->buf[sb->len - 1 - trimlen] == '-')
+ while (sb->len - trimlen > start_len &&
+ (sb->buf[sb->len - 1 - trimlen] == '.'
+ || sb->buf[sb->len - 1 - trimlen] == '-'))
trimlen++;
strbuf_remove(sb, sb->len - trimlen, trimlen);
}