git.ipfire.org Git - thirdparty/git.git/commit

author	Phillip Wood <phillip.wood@dunelm.org.uk>
	Mon, 3 Oct 2022 09:23:30 +0000 (09:23 +0000)
committer	Junio C Hamano <gitster@pobox.com>
	Mon, 3 Oct 2022 16:05:07 +0000 (09:05 -0700)
commit	3ef1494685dea925d4e98ed06d9ea3fb5b3ecb89
tree	c3bb3df2c946e2cf300b4193faed3c405a1d6989	tree \| snapshot
parent	a0feb8611d4c0b2b5d954efe4e98207f62223436	commit \| diff

mailinfo -b: fix an out of bounds access

To remove bracketed strings containing "PATCH" from the subject line
cleanup_subject() scans the subject for the opening bracket using an
offset from the beginning of the line. It then searches for the
closing bracket with strchr(). To calculate the length of the
bracketed string it unfortunately adds rather than subtracts the
offset from the result of strchr(). This leads to an out of bounds
access in memmem() when looking to see if the brackets contain
"PATCH".

We have tests that trigger this bug that were added in ae52d57f0b
(t5100: add some more mailinfo tests, 2017-05-31). The commit message
mentions that they are marked test_expect_failure as they trigger an
assertion in strbuf_splice(). While it is reassuring that
strbuf_splice() detects the problem and dies in retrospect that should
perhaps have warranted a little more investigation. The bug was
introduced by 17635fc900 (mailinfo: -b option keeps [bracketed]
strings that is not a [PATCH] marker, 2009-07-15). I think the reason
it has survived so long is that '-b' is not a popular option and
without it the offset is always zero.

This was found by the address sanitizer while I was cleaning up the
test_todo idea in [1].

[1] https://lore.kernel.org/git/db558292-2783-3270-4824-43757822a389@gmail.com/

Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

mailinfo.c		diff \| blob \| blame \| history
t/t5100-mailinfo.sh		diff \| blob \| blame \| history