List for cgit developers and users
 help / color / mirror / Atom feed
From: e at 80x24.org (Eric Wong)
Subject: [PATCH] ui-shared: fix segfault in cgit_set_title_from_path
Date: Wed,  2 Jan 2019 06:50:04 +0000	[thread overview]
Message-ID: <20190102065004.18253-1-e@80x24.org> (raw)

The following invocation of strncat uses a bogus size and
caused segfaults on my system:

  strncat(new_title, ctx.page.title, sizeof(new_title) - strlen(new_title) - 1);

Since str*cat functions are all bug-prone and slow (need to
search for '\0' at every invocation), switch to the safer and
easier-to-use strbuf* git API instead.
---
 ui-shared.c | 24 ++++++++++--------------
 1 file changed, 10 insertions(+), 14 deletions(-)

diff --git a/ui-shared.c b/ui-shared.c
index 7a4c726..bef8a78 100644
--- a/ui-shared.c
+++ b/ui-shared.c
@@ -1192,15 +1192,14 @@ void cgit_print_snapshot_links(const struct cgit_repo *repo, const char *ref,
 
 void cgit_set_title_from_path(const char *path)
 {
-	size_t path_len, path_index, path_last_end, line_len;
-	char *new_title;
+	size_t path_len, path_index, path_last_end;
+	struct strbuf sb;
 
 	if (!path)
 		return;
 
 	path_len = strlen(path);
-	new_title = xmalloc(path_len + 3 + strlen(ctx.page.title) + 1);
-	new_title[0] = '\0';
+	strbuf_init(&sb, path_len + 3 + strlen(ctx.page.title) + 1);
 
 	for (path_index = path_len, path_last_end = path_len; path_index-- > 0;) {
 		if (path[path_index] == '/') {
@@ -1208,19 +1207,16 @@ void cgit_set_title_from_path(const char *path)
 				path_last_end = path_index - 1;
 				continue;
 			}
-			strncat(new_title, &path[path_index + 1], path_last_end - path_index - 1);
-			line_len = strlen(new_title);
-			new_title[line_len++] = '\\';
-			new_title[line_len] = '\0';
+			strbuf_add(&sb, &path[path_index + 1],
+			           path_last_end - path_index - 1);
+			strbuf_addch(&sb, '\\');
 			path_last_end = path_index;
 		}
 	}
 	if (path_last_end)
-		strncat(new_title, path, path_last_end);
+		strbuf_add(&sb, path, path_last_end);
 
-	line_len = strlen(new_title);
-	memcpy(&new_title[line_len], " - ", 3);
-	new_title[line_len + 3] = '\0';
-	strncat(new_title, ctx.page.title, sizeof(new_title) - strlen(new_title) - 1);
-	ctx.page.title = new_title;
+	strbuf_add(&sb, " - ", 3);
+	strbuf_addstr(&sb, ctx.page.title);
+	ctx.page.title = strbuf_detach(&sb, NULL);
 }
-- 
EW



             reply	other threads:[~2019-01-02  6:50 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-02  6:50 e [this message]
2019-01-02  6:50 ` Jason

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190102065004.18253-1-e@80x24.org \
    --to=cgit@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).