git.ipfire.org Git - thirdparty/git.git/commit

author	Jeff King <peff@peff.net>
	Tue, 18 Nov 2025 09:12:23 +0000 (04:12 -0500)
committer	Junio C Hamano <gitster@pobox.com>
	Tue, 18 Nov 2025 17:36:11 +0000 (09:36 -0800)
commit	830424def4896dbf041d41dad873f5b86fdf9bfa
tree	a853590926e3a471ca1efc0b400dad47bfdf9487	tree
parent	0b6ec075df2ac77a4792b8b1a7290a36b636012b	commit \| diff

fsck: avoid strcspn() in fsck_ident()

We may be operating on a buffer that is not NUL-terminated, but we use
strcspn() to parse it. This is OK in practice, as discussed in
8e4309038f (fsck: do not assume NUL-termination of buffers, 2023-01-19),
because we know there is at least a trailing newline in our buffer, and
we always pass "\n" to strcspn(). So we know it will stop before running
off the end of the buffer.

But this is a subtle point to hang our memory safety hat on. And it
confuses ASan's strict_string_checks mode, even though it is technically
a false positive (that mode complains that we have no NUL, which is
true, but it does not know that we have verified the presence of the
newline already).

Let's instead open-code the loop. As a bonus, this makes the logic more
obvious (to my mind, anyway). The current code skips forward with
strcspn until it hits "<", ">", or "\n". But then it must check which it
saw to decide if that was what we expected or not, duplicating some
logic between what's in the strcspn() and what's in the domain logic.
Instead, we can just check each character as we loop and act on it
immediately.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>