mailinfo -b: fix an out of bounds access

To remove bracketed strings containing "PATCH" from the subject line
cleanup_subject() scans the subject for the opening bracket using an
offset from the beginning of the line. It then searches for the
closing bracket with strchr(). To calculate the length of the
bracketed string it unfortunately adds rather than subtracts the
offset from the result of strchr(). This leads to an out of bounds
access in memmem() when looking to see if the brackets contain
"PATCH".

We have tests that trigger this bug that were added in ae52d57f0b
(t5100: add some more mailinfo tests, 2017-05-31). The commit message
mentions that they are marked test_expect_failure as they trigger an
assertion in strbuf_splice(). While it is reassuring that
strbuf_splice() detects the problem and dies in retrospect that should
perhaps have warranted a little more investigation. The bug was
introduced by 17635fc900 (mailinfo: -b option keeps [bracketed]
strings that is not a [PATCH] marker, 2009-07-15). I think the reason
it has survived so long is that '-b' is not a popular option and
without it the offset is always zero.

This was found by the address sanitizer while I was cleaning up the
test_todo idea in [1].

[1] https://lore.kernel.org/git/db558292-2783-3270-4824-43757822a389@gmail.com/

Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/mailinfo.c b/mailinfo.c
index 9621ba62a394348a95f6e5e181aea286c6c37b56..833d28612f77473e9a50d6329ba55bd9706ba81d 100644 (file)
--- a/mailinfo.c
+++ b/mailinfo.c
@@ -317,7 +317,7 @@ static void cleanup_subject(struct mailinfo *mi, struct strbuf *subject)
                        pos = strchr(subject->buf + at, ']');
                        if (!pos)
                                break;
-                       remove = pos - subject->buf + at + 1;
+                       remove = pos - (subject->buf + at) + 1;
                        if (!mi->keep_non_patch_brackets_in_subject ||
                            (7 <= remove &&
                             memmem(subject->buf + at, remove, "PATCH", 5)))

diff --git a/t/t5100-mailinfo.sh b/t/t5100-mailinfo.sh
index cebad1048cfca3a142bcaef361dfab69fe889ceb..db11cababd310f9773dcd0a3bb7039a4df8d4f59 100755 (executable)
--- a/t/t5100-mailinfo.sh
+++ b/t/t5100-mailinfo.sh
@@ -201,13 +201,13 @@ test_expect_success 'mailinfo -b double [PATCH]' '
        test z"$subj" = z"Subject: message"
 '
 
-test_expect_failure 'mailinfo -b trailing [PATCH]' '
+test_expect_success 'mailinfo -b trailing [PATCH]' '
        subj="$(echo "Subject: [other] [PATCH] message" |
                git mailinfo -b /dev/null /dev/null)" &&
        test z"$subj" = z"Subject: [other] message"
 '
 
-test_expect_failure 'mailinfo -b separated double [PATCH]' '
+test_expect_success 'mailinfo -b separated double [PATCH]' '
        subj="$(echo "Subject: [PATCH] [other] [PATCH] message" |
                git mailinfo -b /dev/null /dev/null)" &&
        test z"$subj" = z"Subject: [other] message"