fix segfault when displaying empty blobs When size is zero, subtracting one from it turns it into ULONG_MAX which causes an out-of-bounds access on buf. Signed-off-by: Eric Wong <normalperson@yhbt.net> Signed-off-by: Lars Hjemli <hjemli@gmail.com>
Eric Wong normalperson@yhbt.net
Sat, 14 Mar 2009 18:41:47 -0700
1 files changed,
8 insertions(+),
5 deletions(-)
jump to
M
ui-tree.c
→
ui-tree.c
@@ -25,11 +25,14 @@ html("<table summary='blob content' class='blob'>\n");
html("<tr><td class='linenumbers'><pre>"); idx = 0; lineno = 0; - htmlf(numberfmt, ++lineno); - while(idx < size - 1) { // skip absolute last newline - if (buf[idx] == '\n') - htmlf(numberfmt, ++lineno); - idx++; + + if (size) { + htmlf(numberfmt, ++lineno); + while(idx < size - 1) { // skip absolute last newline + if (buf[idx] == '\n') + htmlf(numberfmt, ++lineno); + idx++; + } } html("</pre></td>\n"); html("<td class='lines'><pre><code>");