From: "René Scharfe" <rene.scharfe@lsrfire.ath.cx>
To: Ingo Molnar <mingo@elte.hu>
Cc: Junio C Hamano <gitster@pobox.com>,
"H. Peter Anvin" <hpa@zytor.com>,
Git Mailing List <git@vger.kernel.org>,
Daniel Barkalow <barkalow@iabervon.org>
Subject: [PATCH] merge: fix out-of-bounds memory access
Date: Sat, 31 Jan 2009 15:39:10 +0100 [thread overview]
Message-ID: <4984628E.8090600@lsrfire.ath.cx> (raw)
In-Reply-To: <20090129120539.GA26975@elte.hu>
The following on top of master lets git finish the merge without segfault
(reporting a merge conflict) and valgrind doesn't find an more memory
errors here. Can you confirm that, Ingo?
-- 8< --
The parameter n of unpack_callback() can have a value of up to
MAX_UNPACK_TREES. The check at the top of unpack_trees() (its only
(indirect) caller) makes sure it cannot exceed this limit.
unpack_callback() passes it and the array src to unpack_nondirectories(),
which has this loop:
for (i = 0; i < n; i++) {
/* ... */
src[i + o->merge] = o->df_conflict_entry;
o->merge can be 0 or 1, so unpack_nondirectories() potentially accesses
the array src at index MAX_UNPACK_TREES. This patch makes it big enough.
Reported-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Rene Scharfe <rene.scharfe@lsrfire.ath.cx>
---
unpack-trees.c | 9 ++++++---
1 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/unpack-trees.c b/unpack-trees.c
index 16bc2ca..e547282 100644
--- a/unpack-trees.c
+++ b/unpack-trees.c
@@ -240,8 +240,11 @@ static struct cache_entry *create_ce_entry(const struct traverse_info *info, con
return ce;
}
-static int unpack_nondirectories(int n, unsigned long mask, unsigned long dirmask, struct cache_entry *src[5],
- const struct name_entry *names, const struct traverse_info *info)
+static int unpack_nondirectories(int n, unsigned long mask,
+ unsigned long dirmask,
+ struct cache_entry **src,
+ const struct name_entry *names,
+ const struct traverse_info *info)
{
int i;
struct unpack_trees_options *o = info->data;
@@ -291,7 +294,7 @@ static int unpack_nondirectories(int n, unsigned long mask, unsigned long dirmas
static int unpack_callback(int n, unsigned long mask, unsigned long dirmask, struct name_entry *names, struct traverse_info *info)
{
- struct cache_entry *src[5] = { NULL, };
+ struct cache_entry *src[MAX_UNPACK_TREES + 1] = { NULL, };
struct unpack_trees_options *o = info->data;
const struct name_entry *p = names;
--
1.6.1
next prev parent reply other threads:[~2009-01-31 14:40 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-29 6:24 Something weird is happening H. Peter Anvin
2009-01-29 6:56 ` Junio C Hamano
[not found] ` <20090129113846.GA10645@elte.hu>
2009-01-29 12:05 ` Ingo Molnar
2009-01-29 22:20 ` René Scharfe
2009-01-29 23:01 ` Daniel Barkalow
2009-01-31 14:39 ` René Scharfe [this message]
2009-01-29 13:45 ` Sverre Rabbelier
2009-02-01 1:31 ` Junio C Hamano
2009-01-29 10:50 ` Ingo Molnar
2009-01-29 10:52 ` Ingo Molnar
2009-01-29 21:45 ` Junio C Hamano
2009-01-29 22:10 ` H. Peter Anvin
2009-01-29 22:35 ` Ingo Molnar
[not found] ` <20090129224357.GA18471@elte.hu>
2009-01-29 22:47 ` H. Peter Anvin
2009-01-29 22:57 ` Junio C Hamano
2009-01-29 23:21 ` Linus Torvalds
2009-01-30 9:12 ` [PATCH 1/2] fsck: HEAD is part of refs Junio C Hamano
2009-01-30 9:27 ` Johannes Sixt
2009-02-01 0:53 ` Junio C Hamano
2009-01-30 16:47 ` Johannes Schindelin
2009-01-31 21:45 ` Nanako Shiraishi
2009-02-01 0:57 ` Junio C Hamano
2009-01-30 9:13 ` [PATCH 2/2] fsck: check loose objects from alternate object stores by default Junio C Hamano
2009-01-29 22:34 ` Something weird is happening Ingo Molnar
2009-01-29 22:36 ` H. Peter Anvin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4984628E.8090600@lsrfire.ath.cx \
--to=rene.scharfe@lsrfire.ath.cx \
--cc=barkalow@iabervon.org \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=hpa@zytor.com \
--cc=mingo@elte.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).