| Log Message: |
Fix a 'dereference pointer to the wrong object' crash in the conflict resolver.
* subversion/libsvn_client/conflicts.c
(configure_option_incoming_move_file_merge,
configure_option_incoming_dir_merge): The tree_conflict_incoming_details
pointer does not necessarily point to a data structure of type struct
conflict_tree_incoming_delete_details. E.g. in case of incoming edits
it will point to an apr_array_header_t.
Only cast this pointer to struct conflict_tree_incoming_delete_details
if the incoming change is in fact a deletion. Otherwise, we can crash
since struct conflict_tree_incoming_delete_details (72 bytes) is larger
than apr_array_header_t (32 bytes), and a read of the larger type through
this pointer could run into unmapped address space.
Generally, accessing one type of object through another type of pointer
is undefined behaviour.
Found by: svn-bb-openbsd buildbot
Discussed with: brane
|
subversion/trunk/subversion/libsvn_client/conflicts.c