xdiff: clamp function context indices in post-image

After finding a function line for --function-context in the pre-image,
xdl_emit_diff() calculates the equivalent line in the post-image.  It
assumes that the lines between changes are the same on both sides.  If
the option --ignore-blank-lines was also given then this is not
necessarily true.

Clamp the calculation results for start and end of the function context
to prevent out-of-bounds array accesses.

Note that this _just_ fixes the case where our mismatch sends us off the
beginning of the file. There are likely other cases where our assumption
causes us to go to the wrong line within the file. Nobody has developed
a test case yet, and the ultimate fix is likely more complicated than
this patch. But this at least prevents a segfault in the meantime.

Credit for finding the bug goes to "Liu Wei of Tencent Security Xuanwu
Lab".

Reported-by: 刘炜 <lw17qhdz@gmail.com>
Helped-by: René Scharfe <l.s.r@web.de>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/xdiff/xemit.c b/xdiff/xemit.c
index 7778dc2b19..30713ae9a9 100644
--- a/xdiff/xemit.c
+++ b/xdiff/xemit.c
@@ -210,7 +210,7 @@ int xdl_emit_diff(xdfenv_t *xe, xdchange_t *xscr, xdemitcb_t *ecb,
 			if (fs1 < 0)
 				fs1 = 0;
 			if (fs1 < s1) {
-				s2 -= s1 - fs1;
+				s2 = XDL_MAX(s2 - (s1 - fs1), 0);
 				s1 = fs1;
 			}
 		}
@@ -232,7 +232,7 @@ int xdl_emit_diff(xdfenv_t *xe, xdchange_t *xscr, xdemitcb_t *ecb,
 			if (fe1 < 0)
 				fe1 = xe->xdf1.nrec;
 			if (fe1 > e1) {
-				e2 += fe1 - e1;
+				e2 = XDL_MIN(e2 + (fe1 - e1), xe->xdf2.nrec);
 				e1 = fe1;
 			}