author | Eric Wong <normalperson@yhbt.net> | 2009-03-15 01:41:47 (UTC) |
---|---|---|
committer | Lars Hjemli <hjemli@gmail.com> | 2009-03-15 07:46:15 (UTC) |
commit | 112973615a78ce61fd6e767128df03b075be72ca (patch) (side-by-side diff) | |
tree | cf4b3eb63f42d77ac77f74d951f583e1503886aa | |
parent | 6063e7b5532481ffaa7a6f080de28547983bbeb7 (diff) | |
download | cgit-112973615a78ce61fd6e767128df03b075be72ca.zip cgit-112973615a78ce61fd6e767128df03b075be72ca.tar.gz cgit-112973615a78ce61fd6e767128df03b075be72ca.tar.bz2 |
fix segfault when displaying empty blobs
When size is zero, subtracting one from it turns it into
ULONG_MAX which causes an out-of-bounds access on buf.
Signed-off-by: Eric Wong <normalperson@yhbt.net>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
-rw-r--r-- | ui-tree.c | 13 |
1 files changed, 8 insertions, 5 deletions
@@ -16,29 +16,32 @@ char *match_path; int header = 0; static void print_text_buffer(char *buf, unsigned long size) { unsigned long lineno, idx; const char *numberfmt = "<a class='no' id='n%1$d' name='n%1$d' href='#n%1$d'>%1$d</a>\n"; html("<table summary='blob content' class='blob'>\n"); html("<tr><td class='linenumbers'><pre>"); idx = 0; lineno = 0; - htmlf(numberfmt, ++lineno); - while(idx < size - 1) { // skip absolute last newline - if (buf[idx] == '\n') - htmlf(numberfmt, ++lineno); - idx++; + + if (size) { + htmlf(numberfmt, ++lineno); + while(idx < size - 1) { // skip absolute last newline + if (buf[idx] == '\n') + htmlf(numberfmt, ++lineno); + idx++; + } } html("</pre></td>\n"); html("<td class='lines'><pre><code>"); html_txt(buf); html("</code></pre></td></tr></table>\n"); } #define ROWLEN 32 static void print_binary_buffer(char *buf, unsigned long size) { unsigned long ofs, idx; |