51 lines
1.7 KiB
Diff
51 lines
1.7 KiB
Diff
From c9d31b711e8906cf248566f43142f20b03e20cbf Mon Sep 17 00:00:00 2001
|
|
From: Edward Thomson <ethomson@edwardthomson.com>
|
|
Date: Fri, 17 Nov 2023 16:54:47 +0000
|
|
Subject: [PATCH] revparse: fix parsing bug for trailing `@`
|
|
|
|
Origin: https://github.com/libgit2/libgit2/commit/c9d31b711e8906cf248566f43142f20b03e20cbf
|
|
|
|
When parsing a revspec that ends with a trailing `@`, explicitly stop
|
|
parsing. Introduce a sentinel variable to explicitly stop parsing.
|
|
|
|
Prior to this, we would set `spec` to `HEAD`, but were looping on the
|
|
value of `spec[pos]`, so we would continue walking the (new) `spec`
|
|
at offset `pos`, looking for a NUL. This is obviously an out-of-bounds
|
|
read.
|
|
|
|
Credit to Michael Rodler (@f0rki) and Amazon AWS Security.
|
|
---
|
|
vendor/libgit2-sys/libgit2/src/libgit2/revparse.c | 5 ++++-
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/vendor/libgit2-sys/libgit2/src/libgit2/revparse.c b/vendor/libgit2-sys/libgit2/src/libgit2/revparse.c
|
|
index 964afe378da..06d92f82bf2 100644
|
|
--- a/vendor/libgit2-sys/libgit2/src/libgit2/revparse.c
|
|
+++ b/vendor/libgit2-sys/libgit2/src/libgit2/revparse.c
|
|
@@ -701,6 +701,7 @@ static int revparse(
|
|
git_object *base_rev = NULL;
|
|
|
|
bool should_return_reference = true;
|
|
+ bool parsed = false;
|
|
|
|
GIT_ASSERT_ARG(object_out);
|
|
GIT_ASSERT_ARG(reference_out);
|
|
@@ -710,7 +711,7 @@ static int revparse(
|
|
*object_out = NULL;
|
|
*reference_out = NULL;
|
|
|
|
- while (spec[pos]) {
|
|
+ while (!parsed && spec[pos]) {
|
|
switch (spec[pos]) {
|
|
case '^':
|
|
should_return_reference = false;
|
|
@@ -817,6 +818,8 @@ static int revparse(
|
|
break;
|
|
} else if (spec[pos+1] == '\0') {
|
|
spec = "HEAD";
|
|
+ identifier_len = 4;
|
|
+ parsed = true;
|
|
break;
|
|
}
|
|
/* fall through */
|