Merge branch 'bc/push-cert-receive-fix'

"git receive-pack" could have been forced to die by attempting
allocate an unreasonably large amount of memory with a crafted push
certificate; this has been fixed.

* bc/push-cert-receive-fix:
  builtin/receive-pack: fix incorrect pointer arithmetic

diff --git a/builtin/receive-pack.c b/builtin/receive-pack.c
index fb2a090..aca9c33 100644 (file)
--- a/builtin/receive-pack.c
+++ b/builtin/receive-pack.c
@@ -1524,7 +1524,7 @@ static void queue_commands_from_cert(struct command **tail,
 
        while (boc < eoc) {
                const char *eol = memchr(boc, '\n', eoc - boc);
-               tail = queue_command(tail, boc, eol ? eol - boc : eoc - eol);
+               tail = queue_command(tail, boc, eol ? eol - boc : eoc - boc);
                boc = eol ? eol + 1 : eoc;
        }
 }