Merge branch 'ps/build-sign-compare' into jch

gitster · gitster · commit 9e231ffddfc6 · 2025-01-09T13:03:57.000-08:00
* ps/build-sign-compare:
  SQUASH???
  builtin/blame: fix out-of-bounds read with excessive `--abbrev`
diff --git a/builtin/blame.c b/builtin/blame.c
@@ -505,7 +505,10 @@ static void emit_other(struct blame_scoreboard *sb, struct blame_entry *ent, int
 			length--;
 			putchar('?');
 		}
-		fwrite(hex, 1, length, stdout);
+
+		if (length > GIT_MAX_HEXSZ)
+			length = GIT_MAX_HEXSZ;
+		printf("%.*s", (int)length, hex);
 		if (opt & OUTPUT_ANNOTATE_COMPAT) {
 			const char *name;
 			if (opt & OUTPUT_SHOW_EMAIL)
diff --git a/t/t8002-blame.sh b/t/t8002-blame.sh
@@ -126,6 +126,11 @@ test_expect_success '--no-abbrev works like --abbrev with full length' '
 	check_abbrev $hexsz --no-abbrev
 '
 
+test_expect_success 'blame --abbrev gets truncated' '
+	check_abbrev $hexsz --abbrev=9000 HEAD &&
+	check_abbrev $hexsz --abbrev=9000 HEAD..
+'
+
 test_expect_success '--exclude-promisor-objects does not BUG-crash' '
 	test_must_fail git blame --exclude-promisor-objects one
 '

Original file line number	Diff line number	Diff line change
`@@ -126,6 +126,11 @@ test_expect_success '--no-abbrev works like --abbrev with full length' '`
`126`	`126`	`check_abbrev $hexsz --no-abbrev`
`127`	`127`	`'`
`128`	`128`
	`129`	`+test_expect_success 'blame --abbrev gets truncated' '`
	`130`	`+ check_abbrev $hexsz --abbrev=9000 HEAD &&`
	`131`	`+ check_abbrev $hexsz --abbrev=9000 HEAD..`
	`132`	`+'`
	`133`	`+`
`129`	`134`	`test_expect_success '--exclude-promisor-objects does not BUG-crash' '`
`130`	`135`	`test_must_fail git blame --exclude-promisor-objects one`
`131`	`136`	`'`