If we exit early in the function parse_object_buffer, we did not
write to *eaten_p. Then the calling function parse_object, which looks
like the following with respect to the eaten variable, cannot rely on a
proper value set in eaten, hence the freeing of the buffer depends
on random values in memory.
struct object *parse_object(const unsigned char *sha1)
{
int eaten;
...
obj = parse_object_buffer(sha1, type, size, buffer, &eaten);
if (!eaten)
free(buffer);
}
This change makes sure, the buffer freeing condition is deterministic.
Signed-off-by: Stefan Beller <[email protected]>
---
object.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/object.c b/object.c
index cbc7333..d8a4b1f 100644
--- a/object.c
+++ b/object.c
@@ -145,7 +145,7 @@ struct object *lookup_unknown_object(const unsigned char
*sha1)
struct object *parse_object_buffer(const unsigned char *sha1, enum object_type
type, unsigned long size, void *buffer, int *eaten_p)
{
struct object *obj;
- int eaten = 0;
+ *eaten_p = 0;
obj = NULL;
if (type == OBJ_BLOB) {
@@ -164,7 +164,7 @@ struct object *parse_object_buffer(const unsigned char
*sha1, enum object_type t
if (!tree->object.parsed) {
if (parse_tree_buffer(tree, buffer, size))
return NULL;
- eaten = 1;
+ *eaten_p = 1;
}
}
} else if (type == OBJ_COMMIT) {
@@ -174,7 +174,7 @@ struct object *parse_object_buffer(const unsigned char
*sha1, enum object_type t
return NULL;
if (!commit->buffer) {
commit->buffer = buffer;
- eaten = 1;
+ *eaten_p = 1;
}
obj = &commit->object;
}
@@ -191,7 +191,6 @@ struct object *parse_object_buffer(const unsigned char
*sha1, enum object_type t
}
if (obj && obj->type == OBJ_NONE)
obj->type = type;
- *eaten_p = eaten;
return obj;
}
--
1.8.3.3.754.g9c3c367.dirty
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
