git.ipfire.org Git - thirdparty/git.git/commit

author	Patrick Steinhardt <ps@pks.im>
	Fri, 10 Jan 2025 11:26:18 +0000 (12:26 +0100)
committer	Junio C Hamano <gitster@pobox.com>
	Fri, 10 Jan 2025 14:56:55 +0000 (06:56 -0800)
commit	e7fb2ca94556e6aadfc3038afaa1c8cc3525258c
tree	9464ba52bf58b6cfe6cf4c0baa6a54a3424b6001	tree
parent	1fbb8d7ecb7bd78ac55d226b6b073372a5ea2c2d	commit \| diff

builtin/blame: fix out-of-bounds write with blank boundary commits

When passing the `-b` flag to git-blame(1), then any blamed boundary
commits which were marked as uninteresting will not get their actual
commit ID printed, but will instead be replaced by a couple of spaces.

The flag can lead to an out-of-bounds write as though when combined with
`--abbrev=` when the abbreviation length is longer than `GIT_MAX_HEXSZ`
as we simply use memset(3p) on that array with the user-provided length
directly. The result is most likely that we segfault.

An obvious fix would be to cull `length` to `GIT_MAX_HEXSZ` many bytes.
But when the underlying object ID is SHA1, and if the abbreviated length
exceeds the SHA1 length, it would cause us to print more bytes than
desired, and the result would be misaligned.

Instead, fix the bug by computing the length via strlen(3p). This makes
us write as many bytes as the formatted object ID requires and thus
effectively limits the length of what we may end up printing to the
length of its hash. If `--abbrev=` asks us to abbreviate to something
shorter than the full length of the underlying hash function it would be
handled by the call to printf(3p) correctly.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

builtin/blame.c		diff \| blob \| blame \| history
t/t8002-blame.sh		diff \| blob \| blame \| history