fix segfault when displaying empty blobs

When size is zero, subtracting one from it turns it into ULONG_MAX which causes an out-of-bounds access on buf. Signed-off-by: Eric Wong <normalperson@yhbt.net> Signed-off-by: Lars Hjemli <hjemli@gmail.com>
author: Eric Wong <normalperson@yhbt.net> 2009-03-15 01:41:47 (UTC)
committer: Lars Hjemli <hjemli@gmail.com> 2009-03-15 07:46:15 (UTC)
commit: 112973615a78ce61fd6e767128df03b075be72ca (patch) (unidiff)
tree: cf4b3eb63f42d77ac77f74d951f583e1503886aa
parent: 6063e7b5532481ffaa7a6f080de28547983bbeb7 (diff)
download: cgit-112973615a78ce61fd6e767128df03b075be72ca.zip
cgit-112973615a78ce61fd6e767128df03b075be72ca.tar.gz
cgit-112973615a78ce61fd6e767128df03b075be72ca.tar.bz2
1 files changed, 8 insertions, 5 deletions
diff --git a/ui-tree.c b/ui-tree.c
index c6159ec..553dbaa 100644
--- a/ui-tree.c
+++ b/ui-tree.c
@@ -1,160 +1,163 @@
 /* ui-tree.c: functions for tree output
 *
 * Copyright (C) 2006 Lars Hjemli
 *
 * Licensed under GNU General Public License v2
 *   (see COPYING for full license text)
 */
 #include <ctype.h>
 #include "cgit.h"
 #include "html.h"
 #include "ui-shared.h"
 char *curr_rev;
 char *match_path;
 int header = 0;
 static void print_text_buffer(char *buf, unsigned long size)
 {
        unsigned long lineno, idx;
        const char *numberfmt =
                "<a class='no' id='n%1$d' name='n%1$d' href='#n%1$d'>%1$d</a>\n";
        html("<table summary='blob content' class='blob'>\n");
        html("<tr><td class='linenumbers'><pre>");
        idx = 0;
        lineno = 0;
-        htmlf(numberfmt, ++lineno);
-        while(idx < size - 1) { // skip absolute last newline
+        if (size) {
-                if (buf[idx] == '\n')
+                htmlf(numberfmt, ++lineno);
-                        htmlf(numberfmt, ++lineno);
+                while(idx < size - 1) { // skip absolute last newline
-                idx++;
+                        if (buf[idx] == '\n')
+                                htmlf(numberfmt, ++lineno);
+                        idx++;
+                }
        }
        html("</pre></td>\n");
        html("<td class='lines'><pre><code>");
        html_txt(buf);
        html("</code></pre></td></tr></table>\n");
 }
 #define ROWLEN 32
 static void print_binary_buffer(char *buf, unsigned long size)
 {
        unsigned long ofs, idx;
        static char ascii[ROWLEN + 1];
        html("<table summary='blob content' class='bin-blob'>\n");
        html("<tr><th>ofs</th><th>hex dump</th><th>ascii</th></tr>");
        for (ofs = 0; ofs < size; ofs += ROWLEN, buf += ROWLEN) {
                htmlf("<tr><td class='right'>%04x</td><td class='hex'>", ofs);
                for (idx = 0; idx < ROWLEN && ofs + idx < size; idx++)
                        htmlf("%*s%02x",
                              idx == 16 ? 4 : 1, "",
                              buf[idx] & 0xff);
                html(" </td><td class='hex'>");
                for (idx = 0; idx < ROWLEN && ofs + idx < size; idx++)
                        ascii[idx] = isgraph(buf[idx]) ? buf[idx] : '.';
                ascii[idx] = '\0';
                html_txt(ascii);
                html("</td></tr>\n");
        }
        html("</table>\n");
 }
 static void print_object(const unsigned char *sha1, char *path)
 {
        enum object_type type;
        char *buf;
        unsigned long size;
        type = sha1_object_info(sha1, &size);
        if (type == OBJ_BAD) {
                cgit_print_error(fmt("Bad object name: %s",
                                     sha1_to_hex(sha1)));
                return;
        }
        buf = read_sha1_file(sha1, &type, &size);
        if (!buf) {
                cgit_print_error(fmt("Error reading object %s",
                                     sha1_to_hex(sha1)));
                return;
        }
        html(" (");
        cgit_plain_link("plain", NULL, NULL, ctx.qry.head,
                        curr_rev, path);
        htmlf(")<br/>blob: %s\n", sha1_to_hex(sha1));
        if (buffer_is_binary(buf, size))
                print_binary_buffer(buf, size);
        else
                print_text_buffer(buf, size);
 }
 static int ls_item(const unsigned char *sha1, const char *base, int baselen,
                   const char *pathname, unsigned int mode, int stage,
                   void *cbdata)
 {
        char *name;
        char *fullpath;
        enum object_type type;
        unsigned long size = 0;
        name = xstrdup(pathname);
        fullpath = fmt("%s%s%s", ctx.qry.path ? ctx.qry.path : "",
                       ctx.qry.path ? "/" : "", name);
        if (!S_ISGITLINK(mode)) {
                type = sha1_object_info(sha1, &size);
                if (type == OBJ_BAD) {
                        htmlf("<tr><td colspan='3'>Bad object: %s %s</td></tr>",
                              name,
                              sha1_to_hex(sha1));
                        return 0;
                }
        }
        html("<tr><td class='ls-mode'>");
        cgit_print_filemode(mode);
        html("</td><td>");
        if (S_ISGITLINK(mode)) {
                htmlf("<a class='ls-mod' href='");
                html_attr(fmt(ctx.repo->module_link,
                              name,
                              sha1_to_hex(sha1)));
                html("'>");
                html_txt(name);
                html("</a>");
        } else if (S_ISDIR(mode)) {
                cgit_tree_link(name, NULL, "ls-dir", ctx.qry.head,
                               curr_rev, fullpath);
        } else {
                cgit_tree_link(name, NULL, "ls-blob", ctx.qry.head,
                               curr_rev, fullpath);
        }
        htmlf("</td><td class='ls-size'>%li</td>", size);
        html("<td>");
        cgit_log_link("log", NULL, "button", ctx.qry.head, curr_rev,
                      fullpath, 0, NULL, NULL, ctx.qry.showmsg);
        if (ctx.repo->max_stats)
                cgit_stats_link("stats", NULL, "button", ctx.qry.head,
                                fullpath);
        html("</td></tr>\n");
        free(name);
        return 0;
 }
 static void ls_head()
 {
        html("<table summary='tree listing' class='list'>\n");
        html("<tr class='nohover'>");
        html("<th class='left'>Mode</th>");
        html("<th class='left'>Name</th>");
        html("<th class='right'>Size</th>");
        html("<th/>");
        html("</tr>\n");
        header = 1;
author	Eric Wong <normalperson@yhbt.net>	2009-03-15 01:41:47 (UTC)
committer	Lars Hjemli <hjemli@gmail.com>	2009-03-15 07:46:15 (UTC)
commit	112973615a78ce61fd6e767128df03b075be72ca (patch) (unidiff)
tree	cf4b3eb63f42d77ac77f74d951f583e1503886aa
parent	6063e7b5532481ffaa7a6f080de28547983bbeb7 (diff)
download	cgit-112973615a78ce61fd6e767128df03b075be72ca.zip cgit-112973615a78ce61fd6e767128df03b075be72ca.tar.gz cgit-112973615a78ce61fd6e767128df03b075be72ca.tar.bz2

diff --git a/ui-tree.c b/ui-tree.c index c6159ec..553dbaa 100644 --- a/ui-tree.c +++ b/ui-tree.c
@@ -1,160 +1,163 @@
1	/* ui-tree.c: functions for tree output	1	/* ui-tree.c: functions for tree output
2	*	2	*
3	* Copyright (C) 2006 Lars Hjemli	3	* Copyright (C) 2006 Lars Hjemli
4	*	4	*
5	* Licensed under GNU General Public License v2	5	* Licensed under GNU General Public License v2
6	* (see COPYING for full license text)	6	* (see COPYING for full license text)
7	*/	7	*/
8		8
9	#include <ctype.h>	9	#include <ctype.h>
10	#include "cgit.h"	10	#include "cgit.h"
11	#include "html.h"	11	#include "html.h"
12	#include "ui-shared.h"	12	#include "ui-shared.h"
13		13
14	char *curr_rev;	14	char *curr_rev;
15	char *match_path;	15	char *match_path;
16	int header = 0;	16	int header = 0;
17		17
18	static void print_text_buffer(char *buf, unsigned long size)	18	static void print_text_buffer(char *buf, unsigned long size)
19	{	19	{
20	unsigned long lineno, idx;	20	unsigned long lineno, idx;
21	const char *numberfmt =	21	const char *numberfmt =
22	"<a class='no' id='n%1$d' name='n%1$d' href='#n%1$d'>%1$d</a>\n";	22	"<a class='no' id='n%1$d' name='n%1$d' href='#n%1$d'>%1$d</a>\n";
23		23
24	html("<table summary='blob content' class='blob'>\n");	24	html("<table summary='blob content' class='blob'>\n");
25	html("<tr><td class='linenumbers'><pre>");	25	html("<tr><td class='linenumbers'><pre>");
26	idx = 0;	26	idx = 0;
27	lineno = 0;	27	lineno = 0;
28	htmlf(numberfmt, ++lineno);	28
29	while(idx < size - 1) { // skip absolute last newline	29	if (size) {
30	if (buf[idx] == '\n')	30	htmlf(numberfmt, ++lineno);
31	htmlf(numberfmt, ++lineno);	31	while(idx < size - 1) { // skip absolute last newline
32	idx++;	32	if (buf[idx] == '\n')
		33	htmlf(numberfmt, ++lineno);
		34	idx++;
		35	}
33	}	36	}
34	html("</pre></td>\n");	37	html("</pre></td>\n");
35	html("<td class='lines'><pre><code>");	38	html("<td class='lines'><pre><code>");
36	html_txt(buf);	39	html_txt(buf);
37	html("</code></pre></td></tr></table>\n");	40	html("</code></pre></td></tr></table>\n");
38	}	41	}
39		42
40	#define ROWLEN 32	43	#define ROWLEN 32
41		44
42	static void print_binary_buffer(char *buf, unsigned long size)	45	static void print_binary_buffer(char *buf, unsigned long size)
43	{	46	{
44	unsigned long ofs, idx;	47	unsigned long ofs, idx;
45	static char ascii[ROWLEN + 1];	48	static char ascii[ROWLEN + 1];
46		49
47	html("<table summary='blob content' class='bin-blob'>\n");	50	html("<table summary='blob content' class='bin-blob'>\n");
48	html("<tr><th>ofs</th><th>hex dump</th><th>ascii</th></tr>");	51	html("<tr><th>ofs</th><th>hex dump</th><th>ascii</th></tr>");
49	for (ofs = 0; ofs < size; ofs += ROWLEN, buf += ROWLEN) {	52	for (ofs = 0; ofs < size; ofs += ROWLEN, buf += ROWLEN) {
50	htmlf("<tr><td class='right'>%04x</td><td class='hex'>", ofs);	53	htmlf("<tr><td class='right'>%04x</td><td class='hex'>", ofs);
51	for (idx = 0; idx < ROWLEN && ofs + idx < size; idx++)	54	for (idx = 0; idx < ROWLEN && ofs + idx < size; idx++)
52	htmlf("%*s%02x",	55	htmlf("%*s%02x",
53	idx == 16 ? 4 : 1, "",	56	idx == 16 ? 4 : 1, "",
54	buf[idx] & 0xff);	57	buf[idx] & 0xff);
55	html(" </td><td class='hex'>");	58	html(" </td><td class='hex'>");
56	for (idx = 0; idx < ROWLEN && ofs + idx < size; idx++)	59	for (idx = 0; idx < ROWLEN && ofs + idx < size; idx++)
57	ascii[idx] = isgraph(buf[idx]) ? buf[idx] : '.';	60	ascii[idx] = isgraph(buf[idx]) ? buf[idx] : '.';
58	ascii[idx] = '\0';	61	ascii[idx] = '\0';
59	html_txt(ascii);	62	html_txt(ascii);
60	html("</td></tr>\n");	63	html("</td></tr>\n");
61	}	64	}
62	html("</table>\n");	65	html("</table>\n");
63	}	66	}
64		67
65	static void print_object(const unsigned char sha1, char path)	68	static void print_object(const unsigned char sha1, char path)
66	{	69	{
67	enum object_type type;	70	enum object_type type;
68	char *buf;	71	char *buf;
69	unsigned long size;	72	unsigned long size;
70		73
71	type = sha1_object_info(sha1, &size);	74	type = sha1_object_info(sha1, &size);
72	if (type == OBJ_BAD) {	75	if (type == OBJ_BAD) {
73	cgit_print_error(fmt("Bad object name: %s",	76	cgit_print_error(fmt("Bad object name: %s",
74	sha1_to_hex(sha1)));	77	sha1_to_hex(sha1)));
75	return;	78	return;
76	}	79	}
77		80
78	buf = read_sha1_file(sha1, &type, &size);	81	buf = read_sha1_file(sha1, &type, &size);
79	if (!buf) {	82	if (!buf) {
80	cgit_print_error(fmt("Error reading object %s",	83	cgit_print_error(fmt("Error reading object %s",
81	sha1_to_hex(sha1)));	84	sha1_to_hex(sha1)));
82	return;	85	return;
83	}	86	}
84		87
85	html(" (");	88	html(" (");
86	cgit_plain_link("plain", NULL, NULL, ctx.qry.head,	89	cgit_plain_link("plain", NULL, NULL, ctx.qry.head,
87	curr_rev, path);	90	curr_rev, path);
88	htmlf(")<br/>blob: %s\n", sha1_to_hex(sha1));	91	htmlf(")<br/>blob: %s\n", sha1_to_hex(sha1));
89		92
90	if (buffer_is_binary(buf, size))	93	if (buffer_is_binary(buf, size))
91	print_binary_buffer(buf, size);	94	print_binary_buffer(buf, size);
92	else	95	else
93	print_text_buffer(buf, size);	96	print_text_buffer(buf, size);
94	}	97	}
95		98
96		99
97	static int ls_item(const unsigned char sha1, const char base, int baselen,	100	static int ls_item(const unsigned char sha1, const char base, int baselen,
98	const char *pathname, unsigned int mode, int stage,	101	const char *pathname, unsigned int mode, int stage,
99	void *cbdata)	102	void *cbdata)
100	{	103	{
101	char *name;	104	char *name;
102	char *fullpath;	105	char *fullpath;
103	enum object_type type;	106	enum object_type type;
104	unsigned long size = 0;	107	unsigned long size = 0;
105		108
106	name = xstrdup(pathname);	109	name = xstrdup(pathname);
107	fullpath = fmt("%s%s%s", ctx.qry.path ? ctx.qry.path : "",	110	fullpath = fmt("%s%s%s", ctx.qry.path ? ctx.qry.path : "",
108	ctx.qry.path ? "/" : "", name);	111	ctx.qry.path ? "/" : "", name);
109		112
110	if (!S_ISGITLINK(mode)) {	113	if (!S_ISGITLINK(mode)) {
111	type = sha1_object_info(sha1, &size);	114	type = sha1_object_info(sha1, &size);
112	if (type == OBJ_BAD) {	115	if (type == OBJ_BAD) {
113	htmlf("<tr><td colspan='3'>Bad object: %s %s</td></tr>",	116	htmlf("<tr><td colspan='3'>Bad object: %s %s</td></tr>",
114	name,	117	name,
115	sha1_to_hex(sha1));	118	sha1_to_hex(sha1));
116	return 0;	119	return 0;
117	}	120	}
118	}	121	}
119		122
120	html("<tr><td class='ls-mode'>");	123	html("<tr><td class='ls-mode'>");
121	cgit_print_filemode(mode);	124	cgit_print_filemode(mode);
122	html("</td><td>");	125	html("</td><td>");
123	if (S_ISGITLINK(mode)) {	126	if (S_ISGITLINK(mode)) {
124	htmlf("<a class='ls-mod' href='");	127	htmlf("<a class='ls-mod' href='");
125	html_attr(fmt(ctx.repo->module_link,	128	html_attr(fmt(ctx.repo->module_link,
126	name,	129	name,
127	sha1_to_hex(sha1)));	130	sha1_to_hex(sha1)));
128	html("'>");	131	html("'>");
129	html_txt(name);	132	html_txt(name);
130	html("</a>");	133	html("</a>");
131	} else if (S_ISDIR(mode)) {	134	} else if (S_ISDIR(mode)) {
132	cgit_tree_link(name, NULL, "ls-dir", ctx.qry.head,	135	cgit_tree_link(name, NULL, "ls-dir", ctx.qry.head,
133	curr_rev, fullpath);	136	curr_rev, fullpath);
134	} else {	137	} else {
135	cgit_tree_link(name, NULL, "ls-blob", ctx.qry.head,	138	cgit_tree_link(name, NULL, "ls-blob", ctx.qry.head,
136	curr_rev, fullpath);	139	curr_rev, fullpath);
137	}	140	}
138	htmlf("</td><td class='ls-size'>%li</td>", size);	141	htmlf("</td><td class='ls-size'>%li</td>", size);
139		142
140	html("<td>");	143	html("<td>");
141	cgit_log_link("log", NULL, "button", ctx.qry.head, curr_rev,	144	cgit_log_link("log", NULL, "button", ctx.qry.head, curr_rev,
142	fullpath, 0, NULL, NULL, ctx.qry.showmsg);	145	fullpath, 0, NULL, NULL, ctx.qry.showmsg);
143	if (ctx.repo->max_stats)	146	if (ctx.repo->max_stats)
144	cgit_stats_link("stats", NULL, "button", ctx.qry.head,	147	cgit_stats_link("stats", NULL, "button", ctx.qry.head,
145	fullpath);	148	fullpath);
146	html("</td></tr>\n");	149	html("</td></tr>\n");
147	free(name);	150	free(name);
148	return 0;	151	return 0;
149	}	152	}
150		153
151	static void ls_head()	154	static void ls_head()
152	{	155	{
153	html("<table summary='tree listing' class='list'>\n");	156	html("<table summary='tree listing' class='list'>\n");
154	html("<tr class='nohover'>");	157	html("<tr class='nohover'>");
155	html("<th class='left'>Mode</th>");	158	html("<th class='left'>Mode</th>");
156	html("<th class='left'>Name</th>");	159	html("<th class='left'>Name</th>");
157	html("<th class='right'>Size</th>");	160	html("<th class='right'>Size</th>");
158	html("<th/>");	161	html("<th/>");
159	html("</tr>\n");	162	html("</tr>\n");
160	header = 1;	163	header = 1;