From 6b763c424e4ace1678ade5310f3ca3ffbd11af2c Mon Sep 17 00:00:00 2001
From: Junio C Hamano <gitster@pobox.com>
Date: Wed, 5 Sep 2007 21:58:40 -0700
Subject: git-apply: do not read past the end of buffer

When the preimage we are patching is shorter than what the patch
text expects, we tried to match the buffer contents at the
"original" line with the fragment in full, without checking we
have enough data to match in the preimage.  This caused the size
of a later memmove() to wrap around and attempt to scribble
almost the entire address space.  Not good.

The code that follows the part this patch touches tries to match
the fragment with line offsets.  Curiously, that code does not
have the problem --- it guards against reading past the end of
the preimage.

Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 builtin-apply.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'builtin-apply.c')

diff --git a/builtin-apply.c b/builtin-apply.c
index 25b1447901..976ec77041 100644
--- a/builtin-apply.c
+++ b/builtin-apply.c
@@ -1514,7 +1514,8 @@ static int find_offset(const char *buf, unsigned long size, const char *fragment
 	}
 
 	/* Exact line number? */
-	if (!memcmp(buf + start, fragment, fragsize))
+	if ((start + fragsize <= size) &&
+	    !memcmp(buf + start, fragment, fragsize))
 		return start;
 
 	/*
-- 
cgit v1.2.1