From: Junio C Hamano <gitster@pobox.com>
To: Patrick Steinhardt <ps@pks.im>
Cc: git@vger.kernel.org,
Johannes Schindelin <Johannes.Schindelin@gmx.de>,
Kristoffer Haugsbakk <kristofferhaugsbakk@fastmail.com>
Subject: Re: [PATCH v2] builtin/blame: fix out-of-bounds read with excessive `--abbrev`
Date: Thu, 09 Jan 2025 06:59:08 -0800 [thread overview]
Message-ID: <xmqqldvkkp8j.fsf@gitster.g> (raw)
In-Reply-To: <20250109-b4-pks-blame-truncate-hash-length-v2-1-589c81a6ddb0@pks.im> (Patrick Steinhardt's message of "Thu, 09 Jan 2025 12:48:22 +0100")
Patrick Steinhardt <ps@pks.im> writes:
> diff --git a/builtin/blame.c b/builtin/blame.c
> index 867032e4c16878ffd56df8a73162b89ca4bd2694..f92e487bed22eec576a4716f2e654cb61efb9903 100644
> --- a/builtin/blame.c
> +++ b/builtin/blame.c
> @@ -505,7 +505,10 @@ static void emit_other(struct blame_scoreboard *sb, struct blame_entry *ent, int
Mental note: the "hex" in question that is used later is defined as
char hex[GIT_MAX_HEXSZ + 1];
at the top of this scope.
> length--;
> putchar('?');
> }
> - fwrite(hex, 1, length, stdout);
> +
> + if (length > GIT_MAX_HEXSZ)
> + length = GIT_MAX_HEXSZ;
> + printf("%.*s", (int)length, hex);
This is not wrong per-se, but leaves a funny aftertaste after
reading it, especially if the reader knows the original *bug* was
about showing past the end of the string in "hex". The question is
"what if the current hash function produces shorter than MAX_HEXSZ?"
The updated code is correct only because it reinstates the use of
printf() so the "length" being longer than the string itself no
longer matters, and the only requirement on "length" is not to
read beyond the end of hex[] array. So feeding the length of the
array as the limit is not wrong, even though it may be feeding a
limit that is larger than the string stored in the array.
An obvious alternative would have been to base the limit on the
value of strlen(hex) and then we may even keep using fwrite(); then
we do not have worry about "what if MAX_HEXSZ is larger than the
current hash function?" and nonsense like that (I personally prefer
what is being reviewed much better; please do not take this "obvious
alternative" as a suggestion).
Limiting the "length" here does improve the resulting code, relative
to v1 iteration. This printf is about showing the hexstring and we
are making sure we do not read past the end of the array that holds
the string, and doing it here means we do not have to worry about
leading prefix characters about boundary etc. Very good
improvement.
Thanks.
next prev parent reply other threads:[~2025-01-09 14:59 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-09 6:21 [PATCH] builtin/blame: fix out-of-bounds read with excessive `--abbrev` Patrick Steinhardt
2025-01-09 10:31 ` Kristoffer Haugsbakk
2025-01-09 10:49 ` Johannes Schindelin
2025-01-09 11:14 ` Patrick Steinhardt
2025-01-09 13:41 ` Johannes Schindelin
2025-01-10 9:27 ` Johannes Schindelin
2025-01-10 9:49 ` Patrick Steinhardt
2025-01-09 11:48 ` [PATCH v2] " Patrick Steinhardt
2025-01-09 12:40 ` shejialuo
2025-01-09 13:49 ` Johannes Schindelin
2025-01-10 12:16 ` shejialuo
2025-01-09 13:43 ` Johannes Schindelin
2025-01-09 14:59 ` Junio C Hamano [this message]
2025-01-10 11:26 ` [PATCH v3 0/2] builtin/blame: fix out-of-bounds reads and writes Patrick Steinhardt
2025-01-10 11:26 ` [PATCH v3 1/2] builtin/blame: fix out-of-bounds read with excessive `--abbrev` Patrick Steinhardt
2025-01-10 11:26 ` [PATCH v3 2/2] builtin/blame: fix out-of-bounds write with blank boundary commits Patrick Steinhardt
2025-01-10 13:00 ` Johannes Schindelin
2025-01-10 14:21 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqldvkkp8j.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=git@vger.kernel.org \
--cc=kristofferhaugsbakk@fastmail.com \
--cc=ps@pks.im \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).