OSDN Git Service

builtin/mv: fix out of bounds write
authorJohn Keeping <john@keeping.me.uk>
Sat, 8 Mar 2014 19:29:17 +0000 (19:29 +0000)
committerJunio C Hamano <gitster@pobox.com>
Tue, 11 Mar 2014 21:44:21 +0000 (14:44 -0700)
When commit a88c915 (mv: move submodules using a gitfile, 2013-07-30)
added the submodule_gitfile array, it was not added to the block that
enlarges the arrays when we are moving a directory so that we do not
have to worry about it being a directory when we perform the actual
move.  After this, the loop continues over the enlarged set of sources.

Since we assume that submodule_gitfile has size argc, if any of the
items in the source directory are submodules we are guaranteed to write
beyond the end of submodule_gitfile.

Fix this by realloc'ing submodule_gitfile at the same time as the other
arrays.

Reported-by: Guillaume Gelin <contact@ramnes.eu>
Signed-off-by: John Keeping <john@keeping.me.uk>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
builtin/mv.c

index 21c46d1..5258077 100644 (file)
@@ -179,6 +179,9 @@ int cmd_mv(int argc, const char **argv, const char *prefix)
                                                modes = xrealloc(modes,
                                                                (argc + last - first)
                                                                * sizeof(enum update_mode));
+                                               submodule_gitfile = xrealloc(submodule_gitfile,
+                                                               (argc + last - first)
+                                                               * sizeof(char *));
                                        }
 
                                        dst = add_slash(dst);
@@ -192,6 +195,7 @@ int cmd_mv(int argc, const char **argv, const char *prefix)
                                                        prefix_path(dst, dst_len,
                                                                path + length + 1);
                                                modes[argc + j] = INDEX;
+                                               submodule_gitfile[argc + j] = NULL;
                                        }
                                        argc += last - first;
                                }