From: Dave Borowitz <dborowitz@google.com>
Date: Thu, 8 Apr 2010 01:05:05 +0000 (+0200)
Subject: Ensure we don't run past the end of the tree text.
X-Git-Tag: dulwich-0.6.0~55
X-Git-Url: http://git.samba.org/samba.git/?p=jelmer%2Fdulwich-libgit2.git;a=commitdiff_plain;h=4974efb21bc61bfc457022da66a5b29cc2095403;hp=4e761028eca2cfe78a87469b7dc6b43785591b3f

Ensure we don't run past the end of the tree text.

We use strnlen so we can find namelen even if the buffer is truncated
in the name. This is not necessary for Python string objects, which are
guaranteed to be null-terminated, but some buffer objects (e.g. mmap)
may not be.
---

diff --git a/dulwich/_objects.c b/dulwich/_objects.c
index 7ef7ad4..fef82e7 100644
--- a/dulwich/_objects.c
+++ b/dulwich/_objects.c
@@ -37,7 +37,7 @@ static PyObject *sha_to_pyhex(const unsigned char *sha)
 
 static PyObject *py_parse_tree(PyObject *self, PyObject *args)
 {
-	char *text, *end;
+	char *text, *start, *end;
 	int len, namelen;
 	PyObject *ret, *item, *name;
 
@@ -52,6 +52,7 @@ static PyObject *py_parse_tree(PyObject *self, PyObject *args)
 		return NULL;
 	}
 
+	start = text;
 	end = text + len;
 
 	while (text < end) {
@@ -66,7 +67,7 @@ static PyObject *py_parse_tree(PyObject *self, PyObject *args)
 
 		text++;
 
-		namelen = strlen(text);
+		namelen = strnlen(text, len - (text - start));
 
 		name = PyString_FromStringAndSize(text, namelen);
 		if (name == NULL) {