author | Eric Wong <normalperson@yhbt.net> | 2009-03-15 01:41:47 (UTC) |
---|---|---|
committer | Lars Hjemli <hjemli@gmail.com> | 2009-03-15 07:46:15 (UTC) |
commit | 112973615a78ce61fd6e767128df03b075be72ca (patch) (unidiff) | |
tree | cf4b3eb63f42d77ac77f74d951f583e1503886aa | |
parent | 6063e7b5532481ffaa7a6f080de28547983bbeb7 (diff) | |
download | cgit-112973615a78ce61fd6e767128df03b075be72ca.zip cgit-112973615a78ce61fd6e767128df03b075be72ca.tar.gz cgit-112973615a78ce61fd6e767128df03b075be72ca.tar.bz2 |
fix segfault when displaying empty blobs
When size is zero, subtracting one from it turns it into
ULONG_MAX which causes an out-of-bounds access on buf.
Signed-off-by: Eric Wong <normalperson@yhbt.net>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
-rw-r--r-- | ui-tree.c | 13 |
1 files changed, 8 insertions, 5 deletions
@@ -12,37 +12,40 @@ | |||
12 | #include "ui-shared.h" | 12 | #include "ui-shared.h" |
13 | 13 | ||
14 | char *curr_rev; | 14 | char *curr_rev; |
15 | char *match_path; | 15 | char *match_path; |
16 | int header = 0; | 16 | int header = 0; |
17 | 17 | ||
18 | static void print_text_buffer(char *buf, unsigned long size) | 18 | static void print_text_buffer(char *buf, unsigned long size) |
19 | { | 19 | { |
20 | unsigned long lineno, idx; | 20 | unsigned long lineno, idx; |
21 | const char *numberfmt = | 21 | const char *numberfmt = |
22 | "<a class='no' id='n%1$d' name='n%1$d' href='#n%1$d'>%1$d</a>\n"; | 22 | "<a class='no' id='n%1$d' name='n%1$d' href='#n%1$d'>%1$d</a>\n"; |
23 | 23 | ||
24 | html("<table summary='blob content' class='blob'>\n"); | 24 | html("<table summary='blob content' class='blob'>\n"); |
25 | html("<tr><td class='linenumbers'><pre>"); | 25 | html("<tr><td class='linenumbers'><pre>"); |
26 | idx = 0; | 26 | idx = 0; |
27 | lineno = 0; | 27 | lineno = 0; |
28 | htmlf(numberfmt, ++lineno); | 28 | |
29 | while(idx < size - 1) { // skip absolute last newline | 29 | if (size) { |
30 | if (buf[idx] == '\n') | 30 | htmlf(numberfmt, ++lineno); |
31 | htmlf(numberfmt, ++lineno); | 31 | while(idx < size - 1) { // skip absolute last newline |
32 | idx++; | 32 | if (buf[idx] == '\n') |
33 | htmlf(numberfmt, ++lineno); | ||
34 | idx++; | ||
35 | } | ||
33 | } | 36 | } |
34 | html("</pre></td>\n"); | 37 | html("</pre></td>\n"); |
35 | html("<td class='lines'><pre><code>"); | 38 | html("<td class='lines'><pre><code>"); |
36 | html_txt(buf); | 39 | html_txt(buf); |
37 | html("</code></pre></td></tr></table>\n"); | 40 | html("</code></pre></td></tr></table>\n"); |
38 | } | 41 | } |
39 | 42 | ||
40 | #define ROWLEN 32 | 43 | #define ROWLEN 32 |
41 | 44 | ||
42 | static void print_binary_buffer(char *buf, unsigned long size) | 45 | static void print_binary_buffer(char *buf, unsigned long size) |
43 | { | 46 | { |
44 | unsigned long ofs, idx; | 47 | unsigned long ofs, idx; |
45 | static char ascii[ROWLEN + 1]; | 48 | static char ascii[ROWLEN + 1]; |
46 | 49 | ||
47 | html("<table summary='blob content' class='bin-blob'>\n"); | 50 | html("<table summary='blob content' class='bin-blob'>\n"); |
48 | html("<tr><th>ofs</th><th>hex dump</th><th>ascii</th></tr>"); | 51 | html("<tr><th>ofs</th><th>hex dump</th><th>ascii</th></tr>"); |