When parsing tags, we skip all unknown fields that appear before the tag message. This skipping is done by using a plain `strstr(buffer, "\n\n")` to search for the two newlines that separate tag fields from tag message. As it is not possible to supply a buffer length to `strstr`, this call may skip over the buffer's end and thus result in an out of bounds read. As `strstr` may return a pointer that is out of bounds, the following computation of `buffer_end - buffer` will overflow and result in an allocation of an invalid length. Fix the issue by using `git__memmem` instead. Add a test that verifies parsing the tag fails not due to the allocation failure but due to the tag having no message.
Name |
Last commit
|
Last update |
---|---|---|
.github | Loading commit data... | |
ci | Loading commit data... | |
cmake/Modules | Loading commit data... | |
deps | Loading commit data... | |
docs | Loading commit data... | |
examples | Loading commit data... | |
fuzzers | Loading commit data... | |
include | Loading commit data... | |
script | Loading commit data... | |
src | Loading commit data... | |
tests | Loading commit data... | |
.HEADER | Loading commit data... | |
.editorconfig | Loading commit data... | |
.gitattributes | Loading commit data... | |
.gitignore | Loading commit data... | |
.mailmap | Loading commit data... | |
AUTHORS | Loading commit data... | |
CMakeLists.txt | Loading commit data... | |
COPYING | Loading commit data... | |
README.md | Loading commit data... | |
api.docurium | Loading commit data... | |
azure-pipelines.yml | Loading commit data... | |
git.git-authors | Loading commit data... | |
libgit2.pc.in | Loading commit data... | |
libgit2_clar.supp | Loading commit data... | |
package.json | Loading commit data... |