Commit 8991a328535f89f3f2257269f5c2d3fcec8bda69

Stefan Sperling 2021-08-26T07:08:48

add a missing bounds-check in got-fetch-pack when parsing server response The tokenize_refline() function could end up reading past the end of the buffer if the refline is not terminated with whitespace or \0.

1
2
3
4
5
6
7
8
9
10
11
12
13
diff --git a/libexec/got-fetch-pack/got-fetch-pack.c b/libexec/got-fetch-pack/got-fetch-pack.c
index d3181d5..7666d8a 100644
--- a/libexec/got-fetch-pack/got-fetch-pack.c
+++ b/libexec/got-fetch-pack/got-fetch-pack.c
@@ -294,7 +294,7 @@ tokenize_refline(char **tokens, char *line, int len, int maxtokens)
 			n++;
 		}
 		p = line;
-		while (*line != '\0' &&
+		while (*line != '\0' && n < len &&
 		    (!isspace(*line) || i == maxtokens - 1)) {
 			line++;
 			n++;