From: mhagger@alum.mit.edu
To: Junio C Hamano <gitster@pobox.com>
Cc: git@vger.kernel.org, Jeff King <peff@peff.net>,
Jakub Narebski <jnareb@gmail.com>,
Heiko Voigt <hvoigt@hvoigt.net>,
Johan Herland <johan@herland.net>,
Christian Couder <chriscool@tuxfamily.org>,
Michael Haggerty <mhagger@alum.mit.edu>
Subject: [PATCH v2 10/18] bisect: copy filename string obtained from git_path()
Date: Fri, 27 Apr 2012 00:26:59 +0200 [thread overview]
Message-ID: <1335479227-7877-11-git-send-email-mhagger@alum.mit.edu> (raw)
In-Reply-To: <1335479227-7877-1-git-send-email-mhagger@alum.mit.edu>
From: Michael Haggerty <mhagger@alum.mit.edu>
Prevent the string from being overwritten by other callers of
git_path() and friends before we are done using it.
Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu>
---
Otherwise, this bug will be triggered by later patches in the series.
I didn't do a careful code audit of this problem, but it seems very
plausible that that check_ancestors() and/or check_merge_bases() are
guilty. They certainly do a lot more than should be done while
holding on to a pointer to a statically-allocated buffer.
I cursorily checked other code in the neighborhood for similar abuses,
but it would be good for an expert to look it over.
bisect.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/bisect.c b/bisect.c
index 6e186e2..48acf73 100644
--- a/bisect.c
+++ b/bisect.c
@@ -833,7 +833,7 @@ static int check_ancestors(const char *prefix)
*/
static void check_good_are_ancestors_of_bad(const char *prefix, int no_checkout)
{
- const char *filename = git_path("BISECT_ANCESTORS_OK");
+ char *filename = xstrdup(git_path("BISECT_ANCESTORS_OK"));
struct stat st;
int fd;
@@ -842,11 +842,11 @@ static void check_good_are_ancestors_of_bad(const char *prefix, int no_checkout)
/* Check if file BISECT_ANCESTORS_OK exists. */
if (!stat(filename, &st) && S_ISREG(st.st_mode))
- return;
+ goto done;
/* Bisecting with no good rev is ok. */
if (good_revs.nr == 0)
- return;
+ goto done;
/* Check if all good revs are ancestor of the bad rev. */
if (check_ancestors(prefix))
@@ -859,6 +859,8 @@ static void check_good_are_ancestors_of_bad(const char *prefix, int no_checkout)
filename, strerror(errno));
else
close(fd);
+ done:
+ free(filename);
}
/*
--
1.7.10
next prev parent reply other threads:[~2012-04-26 22:28 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-26 22:26 [PATCH v2 00/18] Read loose references lazily mhagger
2012-04-26 22:26 ` [PATCH v2 01/18] get_ref_dir(): return early if directory cannot be read mhagger
2012-04-26 22:26 ` [PATCH v2 02/18] get_ref_dir(): use a strbuf to hold refname mhagger
2012-04-26 22:26 ` [PATCH v2 03/18] get_ref_dir(): rename "base" parameter to "dirname" mhagger
2012-04-26 22:26 ` [PATCH v2 04/18] get_ref_dir(): require that the dirname argument ends in '/' mhagger
2012-04-26 22:26 ` [PATCH v2 05/18] refs.c: extract function search_for_subdir() mhagger
2012-05-03 19:48 ` Junio C Hamano
2012-05-03 20:56 ` Junio C Hamano
2012-05-04 7:24 ` Michael Haggerty
2012-04-26 22:26 ` [PATCH v2 06/18] get_ref_dir(): take the containing directory as argument mhagger
2012-04-26 22:26 ` [PATCH v2 07/18] do_for_each_reflog(): return early on error mhagger
2012-04-26 22:26 ` [PATCH v2 08/18] do_for_each_reflog(): use a strbuf to hold logfile name mhagger
2012-04-26 23:25 ` Junio C Hamano
2012-04-27 8:59 ` Michael Haggerty
2012-05-02 20:06 ` Junio C Hamano
2012-05-03 6:47 ` Michael Haggerty
2012-04-26 22:26 ` [PATCH v2 09/18] do_for_each_reflog(): reuse strbuf across recursive function calls mhagger
2012-04-26 22:26 ` mhagger [this message]
2012-04-26 22:27 ` [PATCH v2 11/18] find_containing_dir(): use strbuf in implementation of this function mhagger
2012-04-26 22:27 ` [PATCH v2 12/18] refs: wrap top-level ref_dirs in ref_entries mhagger
2012-04-26 22:27 ` [PATCH v2 13/18] read_loose_refs(): rename function from get_ref_dir() mhagger
2012-04-26 22:27 ` [PATCH v2 14/18] get_ref_dir(): add function for getting a ref_dir from a ref_entry mhagger
2012-04-26 22:27 ` [PATCH v2 15/18] search_for_subdir(): return (ref_dir *) instead of (ref_entry *) mhagger
2012-04-26 22:27 ` [PATCH v2 16/18] struct ref_dir: store a reference to the enclosing ref_cache mhagger
2012-04-26 22:27 ` [PATCH v2 17/18] read_loose_refs(): eliminate ref_cache argument mhagger
2012-04-26 22:27 ` [PATCH v2 18/18] refs: read loose references lazily mhagger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1335479227-7877-11-git-send-email-mhagger@alum.mit.edu \
--to=mhagger@alum.mit.edu \
--cc=chriscool@tuxfamily.org \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=hvoigt@hvoigt.net \
--cc=jnareb@gmail.com \
--cc=johan@herland.net \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).