fix segfault when displaying empty blobs

When size is zero, subtracting one from it turns it into ULONG_MAX which causes an out-of-bounds access on buf. Signed-off-by: Eric Wong <normalperson@yhbt.net> Signed-off-by: Lars Hjemli <hjemli@gmail.com>
author: Eric Wong <normalperson@yhbt.net> 2009-03-15 01:41:47 (UTC)
committer: Lars Hjemli <hjemli@gmail.com> 2009-03-15 07:46:15 (UTC)
commit: 112973615a78ce61fd6e767128df03b075be72ca (patch) (unidiff)
tree: cf4b3eb63f42d77ac77f74d951f583e1503886aa
parent: 6063e7b5532481ffaa7a6f080de28547983bbeb7 (diff)
download: cgit-112973615a78ce61fd6e767128df03b075be72ca.zip
cgit-112973615a78ce61fd6e767128df03b075be72ca.tar.gz
cgit-112973615a78ce61fd6e767128df03b075be72ca.tar.bz2
1 files changed, 8 insertions, 5 deletions
diff --git a/ui-tree.c b/ui-tree.c
index c6159ec..553dbaa 100644
--- a/ui-tree.c
+++ b/ui-tree.c
@@ -1,96 +1,99 @@
 /* ui-tree.c: functions for tree output
 *
 * Copyright (C) 2006 Lars Hjemli
 *
 * Licensed under GNU General Public License v2
 *   (see COPYING for full license text)
 */
 #include <ctype.h>
 #include "cgit.h"
 #include "html.h"
 #include "ui-shared.h"
 char *curr_rev;
 char *match_path;
 int header = 0;
 static void print_text_buffer(char *buf, unsigned long size)
 {
        unsigned long lineno, idx;
        const char *numberfmt =
                "<a class='no' id='n%1$d' name='n%1$d' href='#n%1$d'>%1$d</a>\n";
        html("<table summary='blob content' class='blob'>\n");
        html("<tr><td class='linenumbers'><pre>");
        idx = 0;
        lineno = 0;
-        htmlf(numberfmt, ++lineno);
-        while(idx < size - 1) { // skip absolute last newline
+        if (size) {
-                if (buf[idx] == '\n')
+                htmlf(numberfmt, ++lineno);
-                        htmlf(numberfmt, ++lineno);
+                while(idx < size - 1) { // skip absolute last newline
-                idx++;
+                        if (buf[idx] == '\n')
+                                htmlf(numberfmt, ++lineno);
+                        idx++;
+                }
        }
        html("</pre></td>\n");
        html("<td class='lines'><pre><code>");
        html_txt(buf);
        html("</code></pre></td></tr></table>\n");
 }
 #define ROWLEN 32
 static void print_binary_buffer(char *buf, unsigned long size)
 {
        unsigned long ofs, idx;
        static char ascii[ROWLEN + 1];
        html("<table summary='blob content' class='bin-blob'>\n");
        html("<tr><th>ofs</th><th>hex dump</th><th>ascii</th></tr>");
        for (ofs = 0; ofs < size; ofs += ROWLEN, buf += ROWLEN) {
                htmlf("<tr><td class='right'>%04x</td><td class='hex'>", ofs);
                for (idx = 0; idx < ROWLEN && ofs + idx < size; idx++)
                        htmlf("%*s%02x",
                              idx == 16 ? 4 : 1, "",
                              buf[idx] & 0xff);
                html(" </td><td class='hex'>");
                for (idx = 0; idx < ROWLEN && ofs + idx < size; idx++)
                        ascii[idx] = isgraph(buf[idx]) ? buf[idx] : '.';
                ascii[idx] = '\0';
                html_txt(ascii);
                html("</td></tr>\n");
        }
        html("</table>\n");
 }
 static void print_object(const unsigned char *sha1, char *path)
 {
        enum object_type type;
        char *buf;
        unsigned long size;
        type = sha1_object_info(sha1, &size);
        if (type == OBJ_BAD) {
                cgit_print_error(fmt("Bad object name: %s",
                                     sha1_to_hex(sha1)));
                return;
        }
        buf = read_sha1_file(sha1, &type, &size);
        if (!buf) {
                cgit_print_error(fmt("Error reading object %s",
                                     sha1_to_hex(sha1)));
                return;
        }
        html(" (");
        cgit_plain_link("plain", NULL, NULL, ctx.qry.head,
                        curr_rev, path);
        htmlf(")<br/>blob: %s\n", sha1_to_hex(sha1));
        if (buffer_is_binary(buf, size))
                print_binary_buffer(buf, size);
        else
                print_text_buffer(buf, size);
 }
author	Eric Wong <normalperson@yhbt.net>	2009-03-15 01:41:47 (UTC)
committer	Lars Hjemli <hjemli@gmail.com>	2009-03-15 07:46:15 (UTC)
commit	112973615a78ce61fd6e767128df03b075be72ca (patch) (unidiff)
tree	cf4b3eb63f42d77ac77f74d951f583e1503886aa
parent	6063e7b5532481ffaa7a6f080de28547983bbeb7 (diff)
download	cgit-112973615a78ce61fd6e767128df03b075be72ca.zip cgit-112973615a78ce61fd6e767128df03b075be72ca.tar.gz cgit-112973615a78ce61fd6e767128df03b075be72ca.tar.bz2

diff --git a/ui-tree.c b/ui-tree.c index c6159ec..553dbaa 100644 --- a/ui-tree.c +++ b/ui-tree.c
@@ -1,96 +1,99 @@
1	/* ui-tree.c: functions for tree output	1	/* ui-tree.c: functions for tree output
2	*	2	*
3	* Copyright (C) 2006 Lars Hjemli	3	* Copyright (C) 2006 Lars Hjemli
4	*	4	*
5	* Licensed under GNU General Public License v2	5	* Licensed under GNU General Public License v2
6	* (see COPYING for full license text)	6	* (see COPYING for full license text)
7	*/	7	*/
8		8
9	#include <ctype.h>	9	#include <ctype.h>
10	#include "cgit.h"	10	#include "cgit.h"
11	#include "html.h"	11	#include "html.h"
12	#include "ui-shared.h"	12	#include "ui-shared.h"
13		13
14	char *curr_rev;	14	char *curr_rev;
15	char *match_path;	15	char *match_path;
16	int header = 0;	16	int header = 0;
17		17
18	static void print_text_buffer(char *buf, unsigned long size)	18	static void print_text_buffer(char *buf, unsigned long size)
19	{	19	{
20	unsigned long lineno, idx;	20	unsigned long lineno, idx;
21	const char *numberfmt =	21	const char *numberfmt =
22	"<a class='no' id='n%1$d' name='n%1$d' href='#n%1$d'>%1$d</a>\n";	22	"<a class='no' id='n%1$d' name='n%1$d' href='#n%1$d'>%1$d</a>\n";
23		23
24	html("<table summary='blob content' class='blob'>\n");	24	html("<table summary='blob content' class='blob'>\n");
25	html("<tr><td class='linenumbers'><pre>");	25	html("<tr><td class='linenumbers'><pre>");
26	idx = 0;	26	idx = 0;
27	lineno = 0;	27	lineno = 0;
28	htmlf(numberfmt, ++lineno);	28
29	while(idx < size - 1) { // skip absolute last newline	29	if (size) {
30	if (buf[idx] == '\n')	30	htmlf(numberfmt, ++lineno);
31	htmlf(numberfmt, ++lineno);	31	while(idx < size - 1) { // skip absolute last newline
32	idx++;	32	if (buf[idx] == '\n')
		33	htmlf(numberfmt, ++lineno);
		34	idx++;
		35	}
33	}	36	}
34	html("</pre></td>\n");	37	html("</pre></td>\n");
35	html("<td class='lines'><pre><code>");	38	html("<td class='lines'><pre><code>");
36	html_txt(buf);	39	html_txt(buf);
37	html("</code></pre></td></tr></table>\n");	40	html("</code></pre></td></tr></table>\n");
38	}	41	}
39		42
40	#define ROWLEN 32	43	#define ROWLEN 32
41		44
42	static void print_binary_buffer(char *buf, unsigned long size)	45	static void print_binary_buffer(char *buf, unsigned long size)
43	{	46	{
44	unsigned long ofs, idx;	47	unsigned long ofs, idx;
45	static char ascii[ROWLEN + 1];	48	static char ascii[ROWLEN + 1];
46		49
47	html("<table summary='blob content' class='bin-blob'>\n");	50	html("<table summary='blob content' class='bin-blob'>\n");
48	html("<tr><th>ofs</th><th>hex dump</th><th>ascii</th></tr>");	51	html("<tr><th>ofs</th><th>hex dump</th><th>ascii</th></tr>");
49	for (ofs = 0; ofs < size; ofs += ROWLEN, buf += ROWLEN) {	52	for (ofs = 0; ofs < size; ofs += ROWLEN, buf += ROWLEN) {
50	htmlf("<tr><td class='right'>%04x</td><td class='hex'>", ofs);	53	htmlf("<tr><td class='right'>%04x</td><td class='hex'>", ofs);
51	for (idx = 0; idx < ROWLEN && ofs + idx < size; idx++)	54	for (idx = 0; idx < ROWLEN && ofs + idx < size; idx++)
52	htmlf("%*s%02x",	55	htmlf("%*s%02x",
53	idx == 16 ? 4 : 1, "",	56	idx == 16 ? 4 : 1, "",
54	buf[idx] & 0xff);	57	buf[idx] & 0xff);
55	html(" </td><td class='hex'>");	58	html(" </td><td class='hex'>");
56	for (idx = 0; idx < ROWLEN && ofs + idx < size; idx++)	59	for (idx = 0; idx < ROWLEN && ofs + idx < size; idx++)
57	ascii[idx] = isgraph(buf[idx]) ? buf[idx] : '.';	60	ascii[idx] = isgraph(buf[idx]) ? buf[idx] : '.';
58	ascii[idx] = '\0';	61	ascii[idx] = '\0';
59	html_txt(ascii);	62	html_txt(ascii);
60	html("</td></tr>\n");	63	html("</td></tr>\n");
61	}	64	}
62	html("</table>\n");	65	html("</table>\n");
63	}	66	}
64		67
65	static void print_object(const unsigned char sha1, char path)	68	static void print_object(const unsigned char sha1, char path)
66	{	69	{
67	enum object_type type;	70	enum object_type type;
68	char *buf;	71	char *buf;
69	unsigned long size;	72	unsigned long size;
70		73
71	type = sha1_object_info(sha1, &size);	74	type = sha1_object_info(sha1, &size);
72	if (type == OBJ_BAD) {	75	if (type == OBJ_BAD) {
73	cgit_print_error(fmt("Bad object name: %s",	76	cgit_print_error(fmt("Bad object name: %s",
74	sha1_to_hex(sha1)));	77	sha1_to_hex(sha1)));
75	return;	78	return;
76	}	79	}
77		80
78	buf = read_sha1_file(sha1, &type, &size);	81	buf = read_sha1_file(sha1, &type, &size);
79	if (!buf) {	82	if (!buf) {
80	cgit_print_error(fmt("Error reading object %s",	83	cgit_print_error(fmt("Error reading object %s",
81	sha1_to_hex(sha1)));	84	sha1_to_hex(sha1)));
82	return;	85	return;
83	}	86	}
84		87
85	html(" (");	88	html(" (");
86	cgit_plain_link("plain", NULL, NULL, ctx.qry.head,	89	cgit_plain_link("plain", NULL, NULL, ctx.qry.head,
87	curr_rev, path);	90	curr_rev, path);
88	htmlf(")<br/>blob: %s\n", sha1_to_hex(sha1));	91	htmlf(")<br/>blob: %s\n", sha1_to_hex(sha1));
89		92
90	if (buffer_is_binary(buf, size))	93	if (buffer_is_binary(buf, size))
91	print_binary_buffer(buf, size);	94	print_binary_buffer(buf, size);
92	else	95	else
93	print_text_buffer(buf, size);	96	print_text_buffer(buf, size);
94	}	97	}
95		98
96		99