8000 revparse: fix parsing bug for trailing `@` · libgit2/libgit2@c9d31b7 · GitHub
[go: up one dir, main page]
Skip to content

Commit c9d31b7

Browse files
ethomsonethomson
committed
revparse: fix parsing bug for trailing @
When parsing a revspec that ends with a trailing `@`, explicitly stop parsing. Introduce a sentinel variable to explicitly stop parsing. Prior to this, we would set `spec` to `HEAD`, but were looping on the value of `spec[pos]`, so we would continue walking the (new) `spec` at offset `pos`, looking for a NUL. This is obviously an out-of-bounds read. Credit to Michael Rodler (@f0rki) and Amazon AWS Security.
1 parent 1619a0a commit c9d31b7

File tree

1 file changed

+4
-1
lines changed

1 file changed

+4
-1
lines changed

src/libgit2/revparse.c

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -701,6 +701,7 @@ static int revparse(
701701
git_object *base_rev = NULL;
702702

703703
bool should_return_reference = true;
704+
bool parsed = false;
704705

705706
GIT_ASSERT_ARG(object_out);
706707
GIT_ASSERT_ARG(reference_out);
@@ -710,7 +711,7 @@ static int revparse(
710711
*object_out = NULL;
711712
*reference_out = NULL;
712713

713-
while (spec[pos]) {
714+
while (!parsed && spec[pos]) {
714715
switch (spec[pos]) {
715716
case '^':
716717
should_return_reference = false;
@@ -817,6 +818,8 @@ static int revparse(
817818
break;
818819
} else if (spec[pos+1] == '\0') {
819820
spec = "HEAD";
821+
identifier_len = 4;
822+
parsed = true;
820823
break;
821824
}
822825
/* fall through */

0 commit comments

Comments
 (0)
0