summaryrefslogtreecommitdiffabout
authorEric Wong <normalperson@yhbt.net>2009-03-15 01:41:47 (UTC)
committer Lars Hjemli <hjemli@gmail.com>2009-03-15 07:46:15 (UTC)
commit112973615a78ce61fd6e767128df03b075be72ca (patch) (unidiff)
treecf4b3eb63f42d77ac77f74d951f583e1503886aa
parent6063e7b5532481ffaa7a6f080de28547983bbeb7 (diff)
downloadcgit-112973615a78ce61fd6e767128df03b075be72ca.zip
cgit-112973615a78ce61fd6e767128df03b075be72ca.tar.gz
cgit-112973615a78ce61fd6e767128df03b075be72ca.tar.bz2
fix segfault when displaying empty blobs
When size is zero, subtracting one from it turns it into ULONG_MAX which causes an out-of-bounds access on buf. Signed-off-by: Eric Wong <normalperson@yhbt.net> Signed-off-by: Lars Hjemli <hjemli@gmail.com>
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--ui-tree.c13
1 files changed, 8 insertions, 5 deletions
diff --git a/ui-tree.c b/ui-tree.c
index c6159ec..553dbaa 100644
--- a/ui-tree.c
+++ b/ui-tree.c
@@ -12,37 +12,40 @@
12#include "ui-shared.h" 12#include "ui-shared.h"
13 13
14char *curr_rev; 14char *curr_rev;
15char *match_path; 15char *match_path;
16int header = 0; 16int header = 0;
17 17
18static void print_text_buffer(char *buf, unsigned long size) 18static void print_text_buffer(char *buf, unsigned long size)
19{ 19{
20 unsigned long lineno, idx; 20 unsigned long lineno, idx;
21 const char *numberfmt = 21 const char *numberfmt =
22 "<a class='no' id='n%1$d' name='n%1$d' href='#n%1$d'>%1$d</a>\n"; 22 "<a class='no' id='n%1$d' name='n%1$d' href='#n%1$d'>%1$d</a>\n";
23 23
24 html("<table summary='blob content' class='blob'>\n"); 24 html("<table summary='blob content' class='blob'>\n");
25 html("<tr><td class='linenumbers'><pre>"); 25 html("<tr><td class='linenumbers'><pre>");
26 idx = 0; 26 idx = 0;
27 lineno = 0; 27 lineno = 0;
28 htmlf(numberfmt, ++lineno); 28
29 while(idx < size - 1) { // skip absolute last newline 29 if (size) {
30 if (buf[idx] == '\n') 30 htmlf(numberfmt, ++lineno);
31 htmlf(numberfmt, ++lineno); 31 while(idx < size - 1) { // skip absolute last newline
32 idx++; 32 if (buf[idx] == '\n')
33 htmlf(numberfmt, ++lineno);
34 idx++;
35 }
33 } 36 }
34 html("</pre></td>\n"); 37 html("</pre></td>\n");
35 html("<td class='lines'><pre><code>"); 38 html("<td class='lines'><pre><code>");
36 html_txt(buf); 39 html_txt(buf);
37 html("</code></pre></td></tr></table>\n"); 40 html("</code></pre></td></tr></table>\n");
38} 41}
39 42
40#define ROWLEN 32 43#define ROWLEN 32
41 44
42static void print_binary_buffer(char *buf, unsigned long size) 45static void print_binary_buffer(char *buf, unsigned long size)
43{ 46{
44 unsigned long ofs, idx; 47 unsigned long ofs, idx;
45 static char ascii[ROWLEN + 1]; 48 static char ascii[ROWLEN + 1];
46 49
47 html("<table summary='blob content' class='bin-blob'>\n"); 50 html("<table summary='blob content' class='bin-blob'>\n");
48 html("<tr><th>ofs</th><th>hex dump</th><th>ascii</th></tr>"); 51 html("<tr><th>ofs</th><th>hex dump</th><th>ascii</th></tr>");