diff options
| author | Patrick Steinhardt <ps@pks.im> | 2018-10-19 09:47:50 +0200 |
|---|---|---|
| committer | Patrick Steinhardt <ps@pks.im> | 2018-10-25 12:52:54 +0200 |
| commit | ee11d47e3d907b66eeff99e0ba1e1c71e05164b7 (patch) | |
| tree | cb9a9b1e6f4e052a7bd7aefda53623e8409c1acf /src/commit.c | |
| parent | 4c738e563d0a52c7f06902a6bdac37fe3472b86b (diff) | |
| download | libgit2-ee11d47e3d907b66eeff99e0ba1e1c71e05164b7.tar.gz | |
tag: fix out of bounds read when searching for tag message
When parsing tags, we skip all unknown fields that appear before the tag
message. This skipping is done by using a plain `strstr(buffer, "\n\n")`
to search for the two newlines that separate tag fields from tag
message. As it is not possible to supply a buffer length to `strstr`,
this call may skip over the buffer's end and thus result in an out of
bounds read. As `strstr` may return a pointer that is out of bounds, the
following computation of `buffer_end - buffer` will overflow and result
in an allocation of an invalid length.
Fix the issue by using `git__memmem` instead. Add a test that verifies
parsing the tag fails not due to the allocation failure but due to the
tag having no message.
Diffstat (limited to 'src/commit.c')
0 files changed, 0 insertions, 0 deletions