diff options
author | John Keeping <john@keeping.me.uk> | 2014-03-08 19:29:17 +0000 |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2014-03-11 14:44:21 -0700 |
commit | 89ccc1b09cf4004e6129c66def42b47206ed6b5f (patch) | |
tree | 58dc634d9e32bd49cc5a4d4e0584b389493e985f | |
parent | 7bbc4e8fdb33e0a8e42e77cc05460d4c4f615f4d (diff) | |
download | git-89ccc1b09cf4004e6129c66def42b47206ed6b5f.tar.gz |
builtin/mv: fix out of bounds write
When commit a88c915 (mv: move submodules using a gitfile, 2013-07-30)
added the submodule_gitfile array, it was not added to the block that
enlarges the arrays when we are moving a directory so that we do not
have to worry about it being a directory when we perform the actual
move. After this, the loop continues over the enlarged set of sources.
Since we assume that submodule_gitfile has size argc, if any of the
items in the source directory are submodules we are guaranteed to write
beyond the end of submodule_gitfile.
Fix this by realloc'ing submodule_gitfile at the same time as the other
arrays.
Reported-by: Guillaume Gelin <contact@ramnes.eu>
Signed-off-by: John Keeping <john@keeping.me.uk>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
-rw-r--r-- | builtin/mv.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/builtin/mv.c b/builtin/mv.c index 21c46d1636..5258077224 100644 --- a/builtin/mv.c +++ b/builtin/mv.c @@ -179,6 +179,9 @@ int cmd_mv(int argc, const char **argv, const char *prefix) modes = xrealloc(modes, (argc + last - first) * sizeof(enum update_mode)); + submodule_gitfile = xrealloc(submodule_gitfile, + (argc + last - first) + * sizeof(char *)); } dst = add_slash(dst); @@ -192,6 +195,7 @@ int cmd_mv(int argc, const char **argv, const char *prefix) prefix_path(dst, dst_len, path + length + 1); modes[argc + j] = INDEX; + submodule_gitfile[argc + j] = NULL; } argc += last - first; } |