Jeff King wrote:

> When we generate relative names (e.g., "master~20^2"), we
> format the name into a static buffer, then xstrdup the
> result to attach it to the commit. Since the first thing we
> add into the static buffer is the already-computed name of
> the child commit, the names may get longer and longer as
> the traversal gets deeper, and we may eventually overflow
> the fixed-size buffer.

Good catch.

> Though this is a stack overflow, I don't know that it's exploitable for
> anything interesting; an attacker does not get to write arbitrary data,
> but rather only a sequence of "^%d" and "~%d" relative history markers.
> Perhaps in theory one could devise a history such that the sequence
> markers spelled out some malicious code, but it would be quite a
> challenge

Overwrite the return address and return-to-libc?

> --- a/builtin/show-branch.c
> +++ b/builtin/show-branch.c

Very clean and obviously correct.  Thanks.

Reviewed-by: Jonathan Nieder <>

A test would be nice, though.

Hope that helps,
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to
More majordomo info at

Reply via email to