* Ingo Molnar <[EMAIL PROTECTED]> wrote:

> this patch fixes a memory leak in read-cache.c: when there's cache 
> entry collision we should free the previous one.

> +             free(active_cache[pos]);
>               active_cache[pos] = ce;

i'm having second thoughs about this one: active_cache entries are not 
always malloc()-ed - e.g. read_cache() will construct them from the 
mmap() of the index file. Which must not be free()d!

one safe solution would be to malloc() all these entries and copy them 
over from the index file? Slightly slower but safer and free()-able when 
update-cache.c notices a collision. The (tested) patch below does this.

this would also make Martin Schlemmer's update-cache.c fix safe.

(without this second patch, free(active_cache[pos]) might crash, and 
that crash is would possibly be remote exploitable via a special 
repository that tricks the index file to look in a certain way.)


Signed-off-by: Ingo Molnar <[EMAIL PROTECTED]>

--- read-cache.c.orig
+++ read-cache.c
@@ -453,10 +453,17 @@ int read_cache(void)
        offset = sizeof(*hdr);
        for (i = 0; i < hdr->entries; i++) {
-               struct cache_entry *ce = map + offset;
+               struct cache_entry *ce = map + offset, *tmp;
                offset = offset + ce_size(ce);
-               active_cache[i] = ce;
+               tmp = malloc(ce_size(ce));
+               if (!tmp)
+                       return error("malloc failed");
+               memcpy(tmp, ce, ce_size(ce));
+               active_cache[i] = tmp;
+       munmap(map, size);
        return active_nr;

To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to