Revision 447ac906e189535e77dcb1f4bbe3f1bc917d4c12 authored by Patrick Steinhardt on 01 December 2022, 14:45:31 UTC, committed by Junio C Hamano on 05 December 2022, 06:14:16 UTC
The `struct attr_stack` tracks the stack of all patterns together with their attributes. When parsing a gitattributes file that has more than 2^31 such patterns though we may trigger multiple out-of-bounds reads on 64 bit platforms. This is because while the `num_matches` variable is an unsigned integer, we always use a signed integer to iterate over them. I have not been able to reproduce this issue due to memory constraints on my systems. But despite the out-of-bounds reads, the worst thing that can seemingly happen is to call free(3P) with a garbage pointer when calling `attr_stack_free()`. Fix this bug by using unsigned integers to iterate over the array. While this makes the iteration somewhat awkward when iterating in reverse, it is at least better than knowingly running into an out-of-bounds read. While at it, convert the call to `ALLOC_GROW` to use `ALLOC_GROW_BY` instead. Signed-off-by: Patrick Steinhardt <ps@pks.im> Signed-off-by: Junio C Hamano <gitster@pobox.com>
1 parent 34ace8b
quote.h
#ifndef QUOTE_H
#define QUOTE_H
struct strbuf;
/* Help to copy the thing properly quoted for the shell safety.
* any single quote is replaced with '\'', any exclamation point
* is replaced with '\!', and the whole thing is enclosed in a
* single quote pair.
*
* For example, if you are passing the result to system() as an
* argument:
*
* sprintf(cmd, "foobar %s %s", sq_quote(arg0), sq_quote(arg1))
*
* would be appropriate. If the system() is going to call ssh to
* run the command on the other side:
*
* sprintf(cmd, "git-diff-tree %s %s", sq_quote(arg0), sq_quote(arg1));
* sprintf(rcmd, "ssh %s %s", sq_quote(host), sq_quote(cmd));
*
* Note that the above examples leak memory! Remember to free result from
* sq_quote() in a real application.
*
* sq_quote_buf() writes to an existing buffer of specified size; it
* will return the number of characters that would have been written
* excluding the final null regardless of the buffer size.
*
* sq_quotef() quotes the entire formatted string as a single result.
*/
void sq_quote_buf(struct strbuf *, const char *src);
void sq_quote_argv(struct strbuf *, const char **argv);
void sq_quotef(struct strbuf *, const char *fmt, ...);
/*
* These match their non-pretty variants, except that they avoid
* quoting when there are no exotic characters. These should only be used for
* human-readable output, as sq_dequote() is not smart enough to dequote it.
*/
void sq_quote_buf_pretty(struct strbuf *, const char *src);
void sq_quote_argv_pretty(struct strbuf *, const char **argv);
void sq_append_quote_argv_pretty(struct strbuf *dst, const char **argv);
/* This unwraps what sq_quote() produces in place, but returns
* NULL if the input does not look like what sq_quote would have
* produced.
*/
char *sq_dequote(char *);
/*
* Same as the above, but can be used to unwrap many arguments in the
* same string separated by space. Like sq_quote, it works in place,
* modifying arg and appending pointers into it to argv.
*/
int sq_dequote_to_argv(char *arg, const char ***argv, int *nr, int *alloc);
/*
* Same as above, but store the unquoted strings in a strvec. We will
* still modify arg in place, but unlike sq_dequote_to_argv, the strvec
* will duplicate and take ownership of the strings.
*/
struct strvec;
int sq_dequote_to_strvec(char *arg, struct strvec *);
int unquote_c_style(struct strbuf *, const char *quoted, const char **endp);
/* Bits in the flags parameter to quote_c_style() */
#define CQUOTE_NODQ 01
size_t quote_c_style(const char *name, struct strbuf *, FILE *, unsigned);
void quote_two_c_style(struct strbuf *, const char *, const char *, unsigned);
void write_name_quoted(const char *name, FILE *, int terminator);
void write_name_quoted_relative(const char *name, const char *prefix,
FILE *fp, int terminator);
/* quote path as relative to the given prefix */
char *quote_path(const char *in, const char *prefix, struct strbuf *out, unsigned flags);
#define QUOTE_PATH_QUOTE_SP 01
/* quoting as a string literal for other languages */
void perl_quote_buf(struct strbuf *sb, const char *src);
void python_quote_buf(struct strbuf *sb, const char *src);
void tcl_quote_buf(struct strbuf *sb, const char *src);
void basic_regex_quote_buf(struct strbuf *sb, const char *src);
#endif
Computing file changes ...
