From: "René Scharfe" <l.s.r@web.de>
To: Junio C Hamano <gitster@pobox.com>
Cc: Git List <git@vger.kernel.org>
Subject: Re: [PATCH 3/5] wt-status: avoid building bogus branch name with detached HEAD
Date: Sun, 1 Nov 2015 19:11:06 +0100 [thread overview]
Message-ID: <563655BA.906@web.de> (raw)
In-Reply-To: <xmqqbnbdip6y.fsf@gitster.mtv.corp.google.com>
Am 01.11.2015 um 18:50 schrieb Junio C Hamano:
> René Scharfe <l.s.r@web.de> writes:
>
>> If we're on a detached HEAD then wt_shortstatus_print_tracking() takes
>> the string "HEAD (no branch)", translates it, skips the first eleven
>> characters and passes the result to branch_get(), which returns a bogus
>> result and accesses memory out of bounds in order to produce it.
>
> The fix is correct, but the above explanation looks "not quite" to
> me.
>
> That "HEAD (no branch)" thing is in a separate branch_name variable
> that is not involved in the actual computation (i.e. call to
> branch_get()).
>
> The function gets "HEAD" in s->branch, uses that and skips the first
> eleven characters (i.e. beyond the end of that string), lets
> branch_get() to return a garbage and likely missing branch, finds
> that nobody tracks that, and does the right thing anyway. If the
> garbage past the end of the "HEAD" happens to have a name of an
> existing branch, we would get an incorrect result.
Ah, yes. This came from an earlier round which had patch 3 and 4
reversed, causing the translated string to be passed to branch_get().
Thanks for catching the commit message inconsistency!
René
next prev parent reply other threads:[~2015-11-01 18:11 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-31 17:33 [PATCH 0/5] wt-status: fix an invalid memory read, clean up René Scharfe
2015-10-31 17:35 ` [PATCH 1/5] t7060: add test for status --branch on a detached HEAD René Scharfe
2015-10-31 17:36 ` [PATCH 2/5] wt-status: exit early using goto in wt_shortstatus_print_tracking() René Scharfe
2015-10-31 17:36 ` [PATCH 3/5] wt-status: avoid building bogus branch name with detached HEAD René Scharfe
2015-11-01 17:50 ` Junio C Hamano
2015-11-01 18:11 ` René Scharfe [this message]
2015-10-31 17:37 ` [PATCH 4/5] wt-status: don't skip a magical number of characters blindly René Scharfe
2015-11-01 17:51 ` Junio C Hamano
2015-11-01 17:55 ` Junio C Hamano
2015-10-31 17:37 ` [PATCH 5/5] wt-status: use skip_prefix() to get rid of magic string length constants René Scharfe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=563655BA.906@web.de \
--to=l.s.r@web.de \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).