git/tag.c
Martin Koegler a0393ef676 parse_tag_buffer: don't parse invalid tags
The current tag parsing code can access memory outside the tag buffer,
if \n are missing. This patch prevent this behaviour.

Signed-off-by: Martin Koegler <mkoegler@auto.tuwien.ac.at>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-01-06 18:41:44 -08:00

118 lines
2.8 KiB
C

#include "cache.h"
#include "tag.h"
#include "commit.h"
#include "tree.h"
#include "blob.h"
const char *tag_type = "tag";
struct object *deref_tag(struct object *o, const char *warn, int warnlen)
{
while (o && o->type == OBJ_TAG)
o = parse_object(((struct tag *)o)->tagged->sha1);
if (!o && warn) {
if (!warnlen)
warnlen = strlen(warn);
error("missing object referenced by '%.*s'", warnlen, warn);
}
return o;
}
struct tag *lookup_tag(const unsigned char *sha1)
{
struct object *obj = lookup_object(sha1);
if (!obj)
return create_object(sha1, OBJ_TAG, alloc_tag_node());
if (!obj->type)
obj->type = OBJ_TAG;
if (obj->type != OBJ_TAG) {
error("Object %s is a %s, not a tag",
sha1_to_hex(sha1), typename(obj->type));
return NULL;
}
return (struct tag *) obj;
}
int parse_tag_buffer(struct tag *item, void *data, unsigned long size)
{
int typelen, taglen;
unsigned char sha1[20];
const char *type_line, *tag_line, *sig_line;
char type[20];
const char *start = data;
if (item->object.parsed)
return 0;
item->object.parsed = 1;
if (size < 64)
return -1;
if (memcmp("object ", data, 7) || get_sha1_hex((char *) data + 7, sha1))
return -1;
type_line = (char *) data + 48;
if (memcmp("\ntype ", type_line-1, 6))
return -1;
tag_line = memchr(type_line, '\n', size - (type_line - start));
if (!tag_line || memcmp("tag ", ++tag_line, 4))
return -1;
sig_line = memchr(tag_line, '\n', size - (tag_line - start));
if (!sig_line)
return -1;
sig_line++;
typelen = tag_line - type_line - strlen("type \n");
if (typelen >= 20)
return -1;
memcpy(type, type_line + 5, typelen);
type[typelen] = '\0';
taglen = sig_line - tag_line - strlen("tag \n");
item->tag = xmemdupz(tag_line + 4, taglen);
if (!strcmp(type, blob_type)) {
item->tagged = &lookup_blob(sha1)->object;
} else if (!strcmp(type, tree_type)) {
item->tagged = &lookup_tree(sha1)->object;
} else if (!strcmp(type, commit_type)) {
item->tagged = &lookup_commit(sha1)->object;
} else if (!strcmp(type, tag_type)) {
item->tagged = &lookup_tag(sha1)->object;
} else {
error("Unknown type %s", type);
item->tagged = NULL;
}
if (item->tagged && track_object_refs) {
struct object_refs *refs = alloc_object_refs(1);
refs->ref[0] = item->tagged;
set_object_refs(&item->object, refs);
}
return 0;
}
int parse_tag(struct tag *item)
{
enum object_type type;
void *data;
unsigned long size;
int ret;
if (item->object.parsed)
return 0;
data = read_sha1_file(item->object.sha1, &type, &size);
if (!data)
return error("Could not read %s",
sha1_to_hex(item->object.sha1));
if (type != OBJ_TAG) {
free(data);
return error("Object %s not a tag",
sha1_to_hex(item->object.sha1));
}
ret = parse_tag_buffer(item, data, size);
free(data);
return ret;
}