Fossil SCM
Resolved invalid memory write in --args FILE handling when FILE contains embedded NULs, as reported in [forum:/forumpost/7b34eecc1b8cf5d2|forum post 7b34eecc1b8cf5d2]. Cause: mismatch between --args expansion's own line counting vs blob_line() counting. All bytes after the first embedded NUL are now effectively ignored.
Commit
e120c2a9a7278cbc48be7f20110799c954770149755c7b6eee3815d2304224f5
Parent
e3066edea3d0cef…
1 file changed
+7
-1
+7
-1
| --- src/main.c | ||
| +++ src/main.c | ||
| @@ -473,11 +473,17 @@ | ||
| 473 | 473 | nArg = g.argc + nLine*2; |
| 474 | 474 | newArgv = fossil_malloc( sizeof(char*)*nArg ); |
| 475 | 475 | for(j=0; j<i; j++) newArgv[j] = g.argv[j]; |
| 476 | 476 | |
| 477 | 477 | blob_rewind(&file); |
| 478 | - while( (n = blob_line(&file, &line))>0 ){ | |
| 478 | + while( nLine-->0 && (n = blob_line(&file, &line))>0 ){ | |
| 479 | + /* Reminder: ^^^ nLine check avoids that embedded NUL bytes in the | |
| 480 | + ** --args file causes nLine to be less than blob_line() will end | |
| 481 | + ** up reporting in that case, which leads to an memory illegal | |
| 482 | + ** write. See forum post | |
| 483 | + ** https://fossil-scm.org/forum/forumpost/7b34eecc1b8c for | |
| 484 | + ** details */ | |
| 479 | 485 | if( n<1 ){ |
| 480 | 486 | /* Reminder: corner-case: a line with 1 byte and no newline. */ |
| 481 | 487 | continue; |
| 482 | 488 | } |
| 483 | 489 | z = blob_buffer(&line); |
| 484 | 490 |
| --- src/main.c | |
| +++ src/main.c | |
| @@ -473,11 +473,17 @@ | |
| 473 | nArg = g.argc + nLine*2; |
| 474 | newArgv = fossil_malloc( sizeof(char*)*nArg ); |
| 475 | for(j=0; j<i; j++) newArgv[j] = g.argv[j]; |
| 476 | |
| 477 | blob_rewind(&file); |
| 478 | while( (n = blob_line(&file, &line))>0 ){ |
| 479 | if( n<1 ){ |
| 480 | /* Reminder: corner-case: a line with 1 byte and no newline. */ |
| 481 | continue; |
| 482 | } |
| 483 | z = blob_buffer(&line); |
| 484 |
| --- src/main.c | |
| +++ src/main.c | |
| @@ -473,11 +473,17 @@ | |
| 473 | nArg = g.argc + nLine*2; |
| 474 | newArgv = fossil_malloc( sizeof(char*)*nArg ); |
| 475 | for(j=0; j<i; j++) newArgv[j] = g.argv[j]; |
| 476 | |
| 477 | blob_rewind(&file); |
| 478 | while( nLine-->0 && (n = blob_line(&file, &line))>0 ){ |
| 479 | /* Reminder: ^^^ nLine check avoids that embedded NUL bytes in the |
| 480 | ** --args file causes nLine to be less than blob_line() will end |
| 481 | ** up reporting in that case, which leads to an memory illegal |
| 482 | ** write. See forum post |
| 483 | ** https://fossil-scm.org/forum/forumpost/7b34eecc1b8c for |
| 484 | ** details */ |
| 485 | if( n<1 ){ |
| 486 | /* Reminder: corner-case: a line with 1 byte and no newline. */ |
| 487 | continue; |
| 488 | } |
| 489 | z = blob_buffer(&line); |
| 490 |