git-apply: do not read past the end of buffer

When the preimage we are patching is shorter than what the patch text expects, we tried to match the buffer contents at the "original" line with the fragment in full, without checking we have enough data to match in the preimage. This caused the size of a later memmove() to wrap around and attempt to scribble almost the entire address space. Not good. The code that follows the part this patch touches tries to match the fragment with line offsets. Curiously, that code does not have the problem --- it guards against reading past the end of the preimage. Signed-off-by: Junio C Hamano <gitster@pobox.com>
author: Junio C Hamano <gitster@pobox.com> 2007-09-05 21:58:40 -0700
committer: Junio C Hamano <gitster@pobox.com> 2007-09-05 21:58:40 -0700
commit: 6b763c424e4ace1678ade5310f3ca3ffbd11af2c (patch)
tree: 9d2f03dd6ec094653b82ea06e3f3ad7228ca7f42 /builtin-apply.c
parent: 5587cac28be66acf5edc2a4b83b67c8cfffbc5e9 (diff)
download: git-6b763c424e4ace1678ade5310f3ca3ffbd11af2c.tar.gz
git-6b763c424e4ace1678ade5310f3ca3ffbd11af2c.tar.xz
1 files changed, 2 insertions, 1 deletions
diff --git a/builtin-apply.c b/builtin-apply.c
index 25b144790..976ec7704 100644
--- a/builtin-apply.c
+++ b/builtin-apply.c
@@ -1514,7 +1514,8 @@ static int find_offset(const char *buf, unsigned long size, const char *fragment
 	}
 
 	/* Exact line number? */
-	if (!memcmp(buf + start, fragment, fragsize))
+	if ((start + fragsize <= size) &&
+	    !memcmp(buf + start, fragment, fragsize))
 		return start;
 
 	/*
author	Junio C Hamano <gitster@pobox.com>	2007-09-05 21:58:40 -0700
committer	Junio C Hamano <gitster@pobox.com>	2007-09-05 21:58:40 -0700
commit	6b763c424e4ace1678ade5310f3ca3ffbd11af2c (patch)
tree	9d2f03dd6ec094653b82ea06e3f3ad7228ca7f42 /builtin-apply.c
parent	5587cac28be66acf5edc2a4b83b67c8cfffbc5e9 (diff)
download	git-6b763c424e4ace1678ade5310f3ca3ffbd11af2c.tar.gz git-6b763c424e4ace1678ade5310f3ca3ffbd11af2c.tar.xz