Fix 'invalid packet line' for ng packets containing errors (cherry picked from commit 50dd7fea5ad1bf6c013b72ad0aa803a9c84cdede)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45
diff --git a/src/transports/smart_pkt.c b/src/transports/smart_pkt.c
index d10d6c6..d66ee3e 100644
--- a/src/transports/smart_pkt.c
+++ b/src/transports/smart_pkt.c
@@ -290,7 +290,7 @@ static int ok_pkt(git_pkt **out, const char *line, size_t len)
static int ng_pkt(git_pkt **out, const char *line, size_t len)
{
git_pkt_ng *pkt;
- const char *ptr;
+ const char *ptr, *eol;
size_t alloclen;
pkt = git__malloc(sizeof(*pkt));
@@ -299,11 +299,13 @@ static int ng_pkt(git_pkt **out, const char *line, size_t len)
pkt->ref = NULL;
pkt->type = GIT_PKT_NG;
+ eol = line + len;
+
if (len < 3)
goto out_err;
line += 3; /* skip "ng " */
- len -= 3;
- if (!(ptr = memchr(line, ' ', len)))
+
+ if (!(ptr = memchr(line, ' ', eol - line)))
goto out_err;
len = ptr - line;
@@ -314,11 +316,11 @@ static int ng_pkt(git_pkt **out, const char *line, size_t len)
memcpy(pkt->ref, line, len);
pkt->ref[len] = '\0';
- if (len < 1)
- goto out_err;
line = ptr + 1;
- len -= 1;
- if (!(ptr = memchr(line, '\n', len)))
+ if (line >= eol)
+ goto out_err;
+
+ if (!(ptr = memchr(line, '\n', eol - line)))
goto out_err;
len = ptr - line;