diff: avoid stack-buffer-read-overrun for very long name

Due to the use of strncpy without explicit NUL termination, we could end up passing names n1 or n2 that are not NUL-terminated to queue_diff, which requires NUL-terminated strings. Ensure that each is NUL terminated. Signed-off-by: N Jim Meyering <meyering@redhat.com> Signed-off-by: N Junio C Hamano <gitster@pobox.com>

diff: avoid stack-buffer-read-overrun for very long name
Due to the use of strncpy without explicit NUL termination, we could end up passing names n1 or n2 that are not NUL-terminated to queue_diff, which requires NUL-terminated strings. Ensure that each is NUL terminated. Signed-off-by: N Jim Meyering <meyering@redhat.com> Signed-off-by: N Junio C Hamano <gitster@pobox.com>
48e510b6 · Jim Meyering · Junio C Hamano · 6eab5f2f · 48e510b6
隐藏空白更改
内联并排

Showing with 2 addition and 0 deletion

diff-no-index.c diff-no-index.c +2 -0

未找到文件。
--- a/diff-no-index.c
+++ b/diff-no-index.c
@@ -109,6 +109,7 @@ static int queue_diff(struct diff_options *o,
 				n1 = buffer1;
 				strncpy(buffer1 + len1, p1.items[i1++].string,
 						PATH_MAX - len1);
+				buffer1[PATH_MAX-1] = 0;
 			}

 			if (comp < 0)
@@ -117,6 +118,7 @@ static int queue_diff(struct diff_options *o,
 				n2 = buffer2;
 				strncpy(buffer2 + len2, p2.items[i2++].string,
 						PATH_MAX - len2);
+				buffer2[PATH_MAX-1] = 0;
 			}

 			ret = queue_diff(o, n1, n2);