[RFC/WIP PATCH 1/3] rerere: avoid buffer overrun

Two RFC/WIP series for facilitating merge conflict resolution · Elijah Newren <hidden> · 2018-08-06
[RFC/WIP PATCH 0/1] Simplify handling of directory/file conflicts · Elijah Newren <hidden> · 2018-08-06
[RFC/WIP PATCH 1/1] merge-recursive: make file/directory conflicts easier to resolve · Elijah Newren <hidden> · 2018-08-06
[RFC/WIP PATCH 0/3] Modifications to handling of non-textual file merge conflicts · Elijah Newren <hidden> · 2018-08-06
[RFC/WIP PATCH 3/3] merge-recursive: provide more conflict hints for non-textual conflicts · Elijah Newren <hidden> · 2018-08-06
[RFC/WIP PATCH 2/3] merge-recursive: fix handling of submodules in modify/delete conflicts · Elijah Newren <hidden> · 2018-08-06
[RFC/WIP PATCH 1/3] rerere: avoid buffer overrun · Elijah Newren <hidden> · 2018-08-06

DORMANTno replies

From: Elijah Newren <hidden>
Date: 2018-08-06 22:47:53
Subsystem: the rest · Maintainer: Linus Torvalds

check_one_conflict() compares `i` to `active_nr` in two places to avoid
buffer overruns, but left out an important third location.  This has
not previously been a problem, because existing merge strategies have
tended to not create entries at stage #1 that do not have a
corresponding entry at either stage #2 or stage #3.  However, this is
not guaranteed, so add a check to avoid segfaults.

Signed-off-by: Elijah Newren <redacted>
---
 rerere.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rerere.c b/rerere.c
index 16c8aac621..7d22fb08c7 100644
--- a/rerere.c
+++ b/rerere.c

@@ -533,7 +533,7 @@ static int check_one_conflict(int i, int *type)
 	}
 
 	*type = PUNTED;
-	while (ce_stage(active_cache[i]) == 1)
+	while (i < active_nr && ce_stage(active_cache[i]) == 1)
 		i++;
 
 	/* Only handle regular files with both stages #2 and #3 */

-- 
2.18.0.550.g44d6daf40a.dirty

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help