summaryrefslogtreecommitdiffabout
authorEric Wong <normalperson@yhbt.net>2009-03-15 01:41:47 (UTC)
committer Lars Hjemli <hjemli@gmail.com>2009-03-15 07:46:15 (UTC)
commit112973615a78ce61fd6e767128df03b075be72ca (patch) (side-by-side diff)
treecf4b3eb63f42d77ac77f74d951f583e1503886aa
parent6063e7b5532481ffaa7a6f080de28547983bbeb7 (diff)
downloadcgit-112973615a78ce61fd6e767128df03b075be72ca.zip
cgit-112973615a78ce61fd6e767128df03b075be72ca.tar.gz
cgit-112973615a78ce61fd6e767128df03b075be72ca.tar.bz2
fix segfault when displaying empty blobs
When size is zero, subtracting one from it turns it into ULONG_MAX which causes an out-of-bounds access on buf. Signed-off-by: Eric Wong <normalperson@yhbt.net> Signed-off-by: Lars Hjemli <hjemli@gmail.com>
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--ui-tree.c13
1 files changed, 8 insertions, 5 deletions
diff --git a/ui-tree.c b/ui-tree.c
index c6159ec..553dbaa 100644
--- a/ui-tree.c
+++ b/ui-tree.c
@@ -1,160 +1,163 @@
/* ui-tree.c: functions for tree output
*
* Copyright (C) 2006 Lars Hjemli
*
* Licensed under GNU General Public License v2
* (see COPYING for full license text)
*/
#include <ctype.h>
#include "cgit.h"
#include "html.h"
#include "ui-shared.h"
char *curr_rev;
char *match_path;
int header = 0;
static void print_text_buffer(char *buf, unsigned long size)
{
unsigned long lineno, idx;
const char *numberfmt =
"<a class='no' id='n%1$d' name='n%1$d' href='#n%1$d'>%1$d</a>\n";
html("<table summary='blob content' class='blob'>\n");
html("<tr><td class='linenumbers'><pre>");
idx = 0;
lineno = 0;
- htmlf(numberfmt, ++lineno);
- while(idx < size - 1) { // skip absolute last newline
- if (buf[idx] == '\n')
- htmlf(numberfmt, ++lineno);
- idx++;
+
+ if (size) {
+ htmlf(numberfmt, ++lineno);
+ while(idx < size - 1) { // skip absolute last newline
+ if (buf[idx] == '\n')
+ htmlf(numberfmt, ++lineno);
+ idx++;
+ }
}
html("</pre></td>\n");
html("<td class='lines'><pre><code>");
html_txt(buf);
html("</code></pre></td></tr></table>\n");
}
#define ROWLEN 32
static void print_binary_buffer(char *buf, unsigned long size)
{
unsigned long ofs, idx;
static char ascii[ROWLEN + 1];
html("<table summary='blob content' class='bin-blob'>\n");
html("<tr><th>ofs</th><th>hex dump</th><th>ascii</th></tr>");
for (ofs = 0; ofs < size; ofs += ROWLEN, buf += ROWLEN) {
htmlf("<tr><td class='right'>%04x</td><td class='hex'>", ofs);
for (idx = 0; idx < ROWLEN && ofs + idx < size; idx++)
htmlf("%*s%02x",
idx == 16 ? 4 : 1, "",
buf[idx] & 0xff);
html(" </td><td class='hex'>");
for (idx = 0; idx < ROWLEN && ofs + idx < size; idx++)
ascii[idx] = isgraph(buf[idx]) ? buf[idx] : '.';
ascii[idx] = '\0';
html_txt(ascii);
html("</td></tr>\n");
}
html("</table>\n");
}
static void print_object(const unsigned char *sha1, char *path)
{
enum object_type type;
char *buf;
unsigned long size;
type = sha1_object_info(sha1, &size);
if (type == OBJ_BAD) {
cgit_print_error(fmt("Bad object name: %s",
sha1_to_hex(sha1)));
return;
}
buf = read_sha1_file(sha1, &type, &size);
if (!buf) {
cgit_print_error(fmt("Error reading object %s",
sha1_to_hex(sha1)));
return;
}
html(" (");
cgit_plain_link("plain", NULL, NULL, ctx.qry.head,
curr_rev, path);
htmlf(")<br/>blob: %s\n", sha1_to_hex(sha1));
if (buffer_is_binary(buf, size))
print_binary_buffer(buf, size);
else
print_text_buffer(buf, size);
}
static int ls_item(const unsigned char *sha1, const char *base, int baselen,
const char *pathname, unsigned int mode, int stage,
void *cbdata)
{
char *name;
char *fullpath;
enum object_type type;
unsigned long size = 0;
name = xstrdup(pathname);
fullpath = fmt("%s%s%s", ctx.qry.path ? ctx.qry.path : "",
ctx.qry.path ? "/" : "", name);
if (!S_ISGITLINK(mode)) {
type = sha1_object_info(sha1, &size);
if (type == OBJ_BAD) {
htmlf("<tr><td colspan='3'>Bad object: %s %s</td></tr>",
name,
sha1_to_hex(sha1));
return 0;
}
}
html("<tr><td class='ls-mode'>");
cgit_print_filemode(mode);
html("</td><td>");
if (S_ISGITLINK(mode)) {
htmlf("<a class='ls-mod' href='");
html_attr(fmt(ctx.repo->module_link,
name,
sha1_to_hex(sha1)));
html("'>");
html_txt(name);
html("</a>");
} else if (S_ISDIR(mode)) {
cgit_tree_link(name, NULL, "ls-dir", ctx.qry.head,
curr_rev, fullpath);
} else {
cgit_tree_link(name, NULL, "ls-blob", ctx.qry.head,
curr_rev, fullpath);
}
htmlf("</td><td class='ls-size'>%li</td>", size);
html("<td>");
cgit_log_link("log", NULL, "button", ctx.qry.head, curr_rev,
fullpath, 0, NULL, NULL, ctx.qry.showmsg);
if (ctx.repo->max_stats)
cgit_stats_link("stats", NULL, "button", ctx.qry.head,
fullpath);
html("</td></tr>\n");
free(name);
return 0;
}
static void ls_head()
{
html("<table summary='tree listing' class='list'>\n");
html("<tr class='nohover'>");
html("<th class='left'>Mode</th>");
html("<th class='left'>Name</th>");
html("<th class='right'>Size</th>");
html("<th/>");
html("</tr>\n");
header = 1;