diff options
author | Nguyễn Thái Ngọc Duy <pclouds@gmail.com> | 2011-11-13 17:22:15 +0700 |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2011-12-05 16:21:06 -0800 |
commit | d5a35c114ab6b4337a1c7598bf75c331d94ee092 (patch) | |
tree | 675d14129b5e8e7b06210e37e1b8dbd147ab9e09 /builtin/fmt-merge-msg.c | |
parent | c6893323917cbf4cb66c29ba2ac03014a44f0f0c (diff) | |
download | git-d5a35c114ab6b4337a1c7598bf75c331d94ee092.tar.gz |
Copy resolve_ref() return value for longer use
resolve_ref() may return a pointer to a static buffer. Callers that
use this value longer than a couple of statements should copy the
value to avoid some hidden resolve_ref() call that may change the
static buffer's value.
The bug found by Tony Wang <wwwjfy@gmail.com> in builtin/merge.c
demonstrates this. The first call is in cmd_merge()
branch = resolve_ref("HEAD", head_sha1, 0, &flag);
Then deep in lookup_commit_or_die() a few lines after, resolve_ref()
may be called again and destroy "branch".
lookup_commit_or_die
lookup_commit_reference
lookup_commit_reference_gently
parse_object
lookup_replace_object
do_lookup_replace_object
prepare_replace_object
for_each_replace_ref
do_for_each_ref
get_loose_refs
get_ref_dir
get_ref_dir
resolve_ref
All call sites are checked and made sure that xstrdup() is called if
the value should be saved.
Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'builtin/fmt-merge-msg.c')
-rw-r--r-- | builtin/fmt-merge-msg.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/builtin/fmt-merge-msg.c b/builtin/fmt-merge-msg.c index 7e2f22589d..a3ba215209 100644 --- a/builtin/fmt-merge-msg.c +++ b/builtin/fmt-merge-msg.c @@ -268,6 +268,7 @@ static int do_fmt_merge_msg(int merge_title, struct strbuf *in, die("No current branch"); if (!prefixcmp(current_branch, "refs/heads/")) current_branch += 11; + current_branch = xstrdup(current_branch); /* get a line */ while (pos < in->len) { @@ -283,8 +284,10 @@ static int do_fmt_merge_msg(int merge_title, struct strbuf *in, die ("Error in line %d: %.*s", i, len, p); } - if (!srcs.nr) + if (!srcs.nr) { + free((char*)current_branch); return 0; + } if (merge_title) do_fmt_merge_msg_title(out, current_branch); @@ -306,6 +309,7 @@ static int do_fmt_merge_msg(int merge_title, struct strbuf *in, shortlog(origins.items[i].string, origins.items[i].util, head, &rev, shortlog_len, out); } + free((char *)current_branch); return 0; } |