color: protect against out-of-bounds reads and writes

want_color_fd() is designed to work only with standard output and
error file descriptors and stores information about each descriptor in
an array. However, it doesn't verify that the passed-in descriptor
lives within that set, which, with a buggy caller, could lead to
access or assignment outside the array bounds.

Signed-off-by: Eric Sunshine <redacted>
Acked-by: Johannes Schindelin <redacted>
Signed-off-by: Jonathan Nieder <redacted>
Signed-off-by: Junio C Hamano <redacted>

diff --git a/color.c b/color.c
index b1c24c69de652b0b8900e76ebd5b4e6cd24e5203..ebb222ec3323d45bdcd298208903dff9a90d5c3f 100644 (file)
--- a/color.c
+++ b/color.c
@@ -343,6 +343,9 @@ int want_color_fd(int fd, int var)
 
        static int want_auto[3] = { -1, -1, -1 };
 
+       if (fd < 1 || fd >= ARRAY_SIZE(want_auto))
+               BUG("file descriptor out of range: %d", fd);
+
        if (var < 0)
                var = git_use_color_default;