From 9f751c2a681aed2089ba30f64a0478ea3e68a81c Mon Sep 17 00:00:00 2001 From: Alex Riesen Date: Sun, 19 Oct 2008 20:17:17 +0200 Subject: [PATCH] Fix potentially dangerous use of mkpath In the changed code a pointer to the buffer returned by mkpath is used after a function is called which also uses mkpath or git_path. As both these functions use the same ring of buffers, the data pointed by the pointer stored in the first function can be overwritten when the function returns, not to mention the possibility that other code using the same buffer ring can come in in the future. Replace mkpath with mksnpath and a local buffer for the resulting string. --- builtin-apply.c | 4 ++-- builtin-for-each-ref.c | 6 ++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/builtin-apply.c b/builtin-apply.c index cfd8fce..4c4d1e1 100644 --- a/builtin-apply.c +++ b/builtin-apply.c @@ -2841,8 +2841,8 @@ static void create_one_file(char *path, unsigned mode, const char *buf, unsigned unsigned int nr = getpid(); for (;;) { - const char *newpath; - newpath = mkpath("%s~%u", path, nr); + char newpath[PATH_MAX]; + mksnpath(newpath, sizeof(newpath), "%s~%u", path, nr); if (!try_create_file(newpath, mode, buf, size)) { if (!rename(newpath, path)) return; diff --git a/builtin-for-each-ref.c b/builtin-for-each-ref.c index fa6c1ed..e46b7ad 100644 --- a/builtin-for-each-ref.c +++ b/builtin-for-each-ref.c @@ -620,14 +620,16 @@ static char *get_short_ref(struct refinfo *ref) for (j = 0; j < i; j++) { const char *rule = ref_rev_parse_rules[j]; unsigned char short_objectname[20]; + char refname[PATH_MAX]; /* * the short name is ambiguous, if it resolves * (with this previous rule) to a valid ref * read_ref() returns 0 on success */ - if (!read_ref(mkpath(rule, short_name_len, short_name), - short_objectname)) + mksnpath(refname, sizeof(refname), + rule, short_name_len, short_name); + if (!read_ref(refname, short_objectname)) break; } -- 1.6.0.3.549.gb475d