Ensure we don't run past the end of the tree text.

We use strnlen so we can find namelen even if the buffer is truncated
in the name. This is not necessary for Python string objects, which are
guaranteed to be null-terminated, but some buffer objects (e.g. mmap)
may not be.

diff --git a/dulwich/_objects.c b/dulwich/_objects.c
index 7ef7ad4c4aa2553aed094fcbc1b607da8dac71ee..fef82e78f791f35f5cbc9feecab8eea7584d7715 100644 (file)
--- a/dulwich/_objects.c
+++ b/dulwich/_objects.c
@@ -37,7 +37,7 @@ static PyObject *sha_to_pyhex(const unsigned char *sha)
 
 static PyObject *py_parse_tree(PyObject *self, PyObject *args)
 {
-       char *text, *end;
+       char *text, *start, *end;
        int len, namelen;
        PyObject *ret, *item, *name;
 
@@ -52,6 +52,7 @@ static PyObject *py_parse_tree(PyObject *self, PyObject *args)
                return NULL;
        }
 
+       start = text;
        end = text + len;
 
        while (text < end) {
@@ -66,7 +67,7 @@ static PyObject *py_parse_tree(PyObject *self, PyObject *args)
 
                text++;
 
-               namelen = strlen(text);
+               namelen = strnlen(text, len - (text - start));
 
                name = PyString_FromStringAndSize(text, namelen);
                if (name == NULL) {