From 78fae47878111dd9833345fa622bafb51e5d69b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Carlos=20Mart=C3=ADn=20Nieto?= <carlos@cmartin.tk>
Date: Mon, 6 Jun 2011 14:19:47 +0200
Subject: [PATCH] pkt: make sure we really only read the length
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A pkt-line's length are described in its first four bytes in ASCII
hex. Copy this substring to another string before feeding it to
git__strtol32. Otherwise, it will read the whole hash.

Signed-off-by: Carlos Martín Nieto <carlos@cmartin.tk>
---
 src/pkt.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/src/pkt.c b/src/pkt.c
index bf460e55d..782b88569 100644
--- a/src/pkt.c
+++ b/src/pkt.c
@@ -61,14 +61,27 @@ int git_pkt_parse_line(git_pkt **head, const char *line, const char **out)
 {
 	int error = GIT_SUCCESS;
 	long int len;
+	const int num_len = 4;
+	char *num;
 	const char *num_end;
 	git_pkt *pkt;
 
-	error = git__strtol32(&len, line, &num_end, 16);
-	if (error < GIT_SUCCESS)
-		return error;
+	num = git__strndup(line, num_len);
+	if (num == NULL)
+		return GIT_ENOMEM;
 
-	line = num_end;
+	error = git__strtol32(&len, num, &num_end, 16);
+	if (error < GIT_SUCCESS) {
+		free(num);
+		return error;
+	}
+	if (num_end - num != num_len) {
+		free(num);
+		return git__throw(GIT_EOBJCORRUPTED, "Wrong pkt length");
+	}
+	free(num);
+
+	line += num_len;
 	/*
 	 * TODO: How do we deal with empty lines? Try again? with the next
 	 * line?