From 8424981934c415bd20643de9cc932bd348dfb115 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Mon, 1 Feb 2010 08:39:03 -0500 Subject: Fix invalid read in quote_c_style_counted This function did not work on strings that were not NUL-terminated. It reads through a length-bounded string, searching for characters in need of quoting. After we find one, we output the quoted character, then advance our pointer to find the next one. However, we never decremented the length, meaning we ended up looking at whatever random junk was stored after the string. This bug was not found by the existing tests because most code paths feed a NUL-terminated string. The notable exception is a directory name being fed by ls-tree. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- quote.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'quote.c') diff --git a/quote.c b/quote.c index acb6bf929f..fc93435727 100644 --- a/quote.c +++ b/quote.c @@ -213,7 +213,7 @@ static size_t quote_c_style_counted(const char *name, ssize_t maxlen, int ch; len = next_quote_pos(p, maxlen); - if (len == maxlen || !p[len]) + if (len == maxlen || (maxlen < 0 && !p[len])) break; if (!no_dq && p == name) @@ -223,6 +223,8 @@ static size_t quote_c_style_counted(const char *name, ssize_t maxlen, EMIT('\\'); p += len; ch = (unsigned char)*p++; + if (maxlen >= 0) + maxlen -= len + 1; if (sq_lookup[ch] >= ' ') { EMIT(sq_lookup[ch]); } else { -- cgit v1.2.3