builtin/receive-pack: fix incorrect pointer arithmetic

bk2204 · gitster · commit f2214dede950 · 2017-03-28T09:57:14.000-07:00
If we had already processed the last newline in a push certificate, we
would end up subtracting NULL from the end-of-certificate pointer when
computing the length of the line.  This would have resulted in an
absurdly large length, and possibly a buffer overflow.  Instead,
subtract the beginning-of-certificate pointer from the
end-of-certificate pointer, which is what's expected.

Note that this situation should never occur, since not only do we
require the certificate to be newline terminated, but the signature will
only be read from the beginning of a line.  Nevertheless, it seems
prudent to correct it.

Signed-off-by: brian m. carlson &lt;sandals@crustytoothpaste.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
diff --git a/builtin/receive-pack.c b/builtin/receive-pack.c
@@ -1127,7 +1127,7 @@ static void queue_commands_from_cert(struct command **tail,
 
 	while (boc < eoc) {
 		const char *eol = memchr(boc, '\n', eoc - boc);
-		tail = queue_command(tail, boc, eol ? eol - boc : eoc - eol);
+		tail = queue_command(tail, boc, eol ? eol - boc : eoc - boc);
 		boc = eol ? eol + 1 : eoc;
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -1127,7 +1127,7 @@ static void queue_commands_from_cert(struct command **tail,`
`1127`	`1127`
`1128`	`1128`	`while (boc < eoc) {`
`1129`	`1129`	`const char *eol = memchr(boc, '\n', eoc - boc);`
`1130`		`- tail = queue_command(tail, boc, eol ? eol - boc : eoc - eol);`
	`1130`	`+ tail = queue_command(tail, boc, eol ? eol - boc : eoc - boc);`
`1131`	`1131`	`boc = eol ? eol + 1 : eoc;`
`1132`	`1132`	`}`
`1133`	`1133`	`}`