From 3aee68aa68e80856de26340b707148d8f8d5b82e Mon Sep 17 00:00:00 2001
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Date: Tue, 26 Jan 2010 20:24:14 +0200
Subject: Fix integer overflow in unpack_sha1_rest()

[jc: later NUL termination by the caller becomes unnecessary]

Signed-off-by: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 sha1_file.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'sha1_file.c')

diff --git a/sha1_file.c b/sha1_file.c
index 63981fb3fd..a903247677 100644
--- a/sha1_file.c
+++ b/sha1_file.c
@@ -1232,7 +1232,7 @@ static int unpack_sha1_header(z_stream *stream, unsigned char *map, unsigned lon
 static void *unpack_sha1_rest(z_stream *stream, void *buffer, unsigned long size, const unsigned char *sha1)
 {
 	int bytes = strlen(buffer) + 1;
-	unsigned char *buf = xmalloc(1+size);
+	unsigned char *buf = xmallocz(size);
 	unsigned long n;
 	int status = Z_OK;
 
@@ -1260,7 +1260,6 @@ static void *unpack_sha1_rest(z_stream *stream, void *buffer, unsigned long size
 		while (status == Z_OK)
 			status = git_inflate(stream, Z_FINISH);
 	}
-	buf[size] = 0;
 	if (status == Z_STREAM_END && !stream->avail_in) {
 		git_inflate_end(stream);
 		return buf;
-- 
cgit v1.2.3


From 4ab07e4d1076a1b94b91d58913daeb20eb1c0e2d Mon Sep 17 00:00:00 2001
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Date: Tue, 26 Jan 2010 20:24:15 +0200
Subject: Fix integer overflow in unpack_compressed_entry()

Signed-off-by: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 sha1_file.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'sha1_file.c')

diff --git a/sha1_file.c b/sha1_file.c
index a903247677..23d347c45f 100644
--- a/sha1_file.c
+++ b/sha1_file.c
@@ -1582,8 +1582,7 @@ static void *unpack_compressed_entry(struct packed_git *p,
 	z_stream stream;
 	unsigned char *buffer, *in;
 
-	buffer = xmalloc(size + 1);
-	buffer[size] = 0;
+	buffer = xmallocz(size);
 	memset(&stream, 0, sizeof(stream));
 	stream.next_out = buffer;
 	stream.avail_out = size + 1;
-- 
cgit v1.2.3