From 112973615a78ce61fd6e767128df03b075be72ca Mon Sep 17 00:00:00 2001 From: Eric Wong Date: Sat, 14 Mar 2009 18:41:47 -0700 Subject: fix segfault when displaying empty blobs When size is zero, subtracting one from it turns it into ULONG_MAX which causes an out-of-bounds access on buf. Signed-off-by: Eric Wong Signed-off-by: Lars Hjemli --- ui-tree.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/ui-tree.c b/ui-tree.c index c6159ec..553dbaa 100644 --- a/ui-tree.c +++ b/ui-tree.c @@ -25,11 +25,14 @@ static void print_text_buffer(char *buf, unsigned long size) html("
");
 	idx = 0;
 	lineno = 0;
-	htmlf(numberfmt, ++lineno);
-	while(idx < size - 1) { // skip absolute last newline
-		if (buf[idx] == '\n')
-			htmlf(numberfmt, ++lineno);
-		idx++;
+
+	if (size) {
+		htmlf(numberfmt, ++lineno);
+		while(idx < size - 1) { // skip absolute last newline
+			if (buf[idx] == '\n')
+				htmlf(numberfmt, ++lineno);
+			idx++;
+		}
 	}
 	html("
\n"); html("
");
-- 
cgit v1.2.3


From 6fddad7251021b307c8a3f70fdd2aa04c3f74eaa Mon Sep 17 00:00:00 2001
From: Lars Hjemli 
Date: Sun, 15 Mar 2009 08:57:33 +0100
Subject: ui-snapshot: avoid segfault when no filename is specified

Signed-off-by: Lars Hjemli 
---
 ui-snapshot.c | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/ui-snapshot.c b/ui-snapshot.c
index f25613e..5372f5d 100644
--- a/ui-snapshot.c
+++ b/ui-snapshot.c
@@ -156,20 +156,31 @@ static const char *get_ref_from_filename(const char *url, const char *filename,
 	return NULL;
 }
 
+void show_error(char *msg)
+{
+	ctx.page.mimetype = "text/html";
+	cgit_print_http_headers(&ctx);
+	cgit_print_docstart(&ctx);
+	cgit_print_pageheader(&ctx);
+	cgit_print_error(msg);
+	cgit_print_docend();
+}
+
 void cgit_print_snapshot(const char *head, const char *hex,
 			 const char *filename, int snapshots, int dwim)
 {
 	const struct cgit_snapshot_format* f;
 	char *prefix = NULL;
 
+	if (!filename) {
+		show_error("No snapshot name specified");
+		return;
+	}
+
 	f = get_format(filename);
 	if (!f) {
-		ctx.page.mimetype = "text/html";
-		cgit_print_http_headers(&ctx);
-		cgit_print_docstart(&ctx);
-		cgit_print_pageheader(&ctx);
-		cgit_print_error(fmt("Unsupported snapshot format: %s", filename));
-		cgit_print_docend();
+		show_error(xstrdup(fmt("Unsupported snapshot format: %s",
+				       filename)));
 		return;
 	}
 
-- 
cgit v1.2.3