delta/libgit2.git/src/tree.c, branch threading-docs github.com: libgit2/libgit2.git tree: cast filename length in git_tree__parse_raw 2019-01-25T22:31:01+00:00 Edward Thomson ethomson@edwardthomson.com 2019-01-20T20:38:25+00:00 3aa6d96a230d15620df0c6ea2ecaae54f5b49941 Quiet down a warning from MSVC about how we're potentially losing data. Ensure that we're within a uint16_t before we do. 
Quiet down a warning from MSVC about how we're potentially losing data.
Ensure that we're within a uint16_t before we do.
git_error: use new names in internal APIs and usage 2019-01-22T22:30:35+00:00 Edward Thomson ethomson@edwardthomson.com 2018-12-27T19:47:34+00:00 f673e232afe22eb865cdc915e55a2df6493f0fbb Move to the `git_error` name in the internal API for error-related functions. 
Move to the `git_error` name in the internal API for error-related
functions.
object_type: use new enumeration names 2018-12-01T11:54:57+00:00 Edward Thomson ethomson@edwardthomson.com 2018-11-28T14:26:57+00:00 168fe39bea3368972a8b1a33d5908e73bc790c18 Use the new object_type enumeration names within the codebase. 
Use the new object_type enumeration names within the codebase.
khash: remove intricate knowledge of khash types 2018-11-28T14:22:27+00:00 Patrick Steinhardt ps@pks.im 2018-11-23T18:26:24+00:00 852bc9f4967d3bd70a284794ff486253e37c6980 Instead of using the `khiter_t`, `git_strmap_iter` and `khint_t` types, simply use `size_t` instead. This decouples code from the khash stuff and makes it possible to move the khash includes into the implementation files. 
Instead of using the `khiter_t`, `git_strmap_iter` and `khint_t` types,
simply use `size_t` instead. This decouples code from the khash stuff
and makes it possible to move the khash includes into the implementation
files.
tree: fix integer overflow when reading unreasonably large filemodes 2018-11-02T12:31:09+00:00 Patrick Steinhardt ps@pks.im 2018-10-29T17:32:39+00:00 7fafec0e53f8711b73912d46b43451c599aeceb3 The `parse_mode` option uses an open-coded octal number parser. The parser is quite naive in that it simply parses until hitting a character that is not in the accepted range of '0' - '7', completely ignoring the fact that we can at most accept a 16 bit unsigned integer as filemode. If the filemode is bigger than UINT16_MAX, it will thus overflow and provide an invalid filemode for the object entry. Fix the issue by using `git__strntol32` instead and doing a bounds check. As this function already handles overflows, it neatly solves the problem. Note that previously, `parse_mode` was also skipping the character immediately after the filemode. In proper trees, this should be a simple space, but in fact the parser accepted any character and simply skipped over it. As a consequence of using `git__strntol32`, we now need to an explicit check for a trailing whitespace after having parsed the filemode. Because of the newly introduced error message, the test object::tree::parse::mode_doesnt_cause_oob_read needs adjustment to its error message check, which in fact is a good thing as it demonstrates that we now fail looking for the whitespace immediately following the filemode. Add a test that shows that we will fail to parse such invalid filemodes now. 
The `parse_mode` option uses an open-coded octal number parser. The
parser is quite naive in that it simply parses until hitting a character
that is not in the accepted range of '0' - '7', completely ignoring the
fact that we can at most accept a 16 bit unsigned integer as filemode.
If the filemode is bigger than UINT16_MAX, it will thus overflow and
provide an invalid filemode for the object entry.

Fix the issue by using `git__strntol32` instead and doing a bounds
check. As this function already handles overflows, it neatly solves the
problem.

Note that previously, `parse_mode` was also skipping the character
immediately after the filemode. In proper trees, this should be a simple
space, but in fact the parser accepted any character and simply skipped
over it. As a consequence of using `git__strntol32`, we now need to an
explicit check for a trailing whitespace after having parsed the
filemode. Because of the newly introduced error message, the test
object::tree::parse::mode_doesnt_cause_oob_read needs adjustment to its
error message check, which in fact is a good thing as it demonstrates
that we now fail looking for the whitespace immediately following the
filemode.

Add a test that shows that we will fail to parse such invalid filemodes
now.
tree: fix mode parsing reading out-of-bounds 2018-11-02T12:31:09+00:00 Patrick Steinhardt ps@pks.im 2018-10-29T16:25:09+00:00 f647bbc88d243a81d8771ba2fd1c346c34a3d9d7 When parsing a tree entry's mode, we will eagerly parse until we hit a character that is not in the accepted set of octal digits '0' - '7'. If the provided buffer is not a NUL terminated one, we may thus read out-of-bounds. Fix the issue by passing the buffer length to `parse_mode` and paying attention to it. Note that this is not a vulnerability in our usual code paths, as all object data read from the ODB is NUL terminated. 
When parsing a tree entry's mode, we will eagerly parse until we hit a
character that is not in the accepted set of octal digits '0' - '7'. If
the provided buffer is not a NUL terminated one, we may thus read
out-of-bounds.

Fix the issue by passing the buffer length to `parse_mode` and paying
attention to it. Note that this is not a vulnerability in our usual code
paths, as all object data read from the ODB is NUL terminated.
tree: unify the entry validity checks 2018-10-08T11:15:31+00:00 Carlos Martín Nieto cmn@dwim.me 2018-10-08T11:15:31+00:00 fd490d3ed5812b930768071433882ffae14da468 We have two similar functions, `git_treebuilder_insert` and `append_entry` which are used in different codepaths as part of creating a new tree. The former learnt to check for object existence under strict object creation, but the latter did not. This allowed the creation of a tree from an unowned index to bypass some of the checks and create a tree pointing to a nonexistent object. Extract a single function which performs these checks and call it from both codepaths. In `append_entry` we still do not validate when asked not to, as this is data which is already in the tree and we want to allow users to deal with repositories which already have some invalid data. 
We have two similar functions, `git_treebuilder_insert` and `append_entry` which
are used in different codepaths as part of creating a new tree. The former
learnt to check for object existence under strict object creation, but the
latter did not.

This allowed the creation of a tree from an unowned index to bypass some of the
checks and create a tree pointing to a nonexistent object.

Extract a single function which performs these checks and call it from both
codepaths. In `append_entry` we still do not validate when asked not to, as this
is data which is already in the tree and we want to allow users to deal with
repositories which already have some invalid data.
Merge pull request #4727 from libgit2/cmn/null-oid-existing-tree 2018-08-26T10:33:42+00:00 Edward Thomson ethomson@edwardthomson.com 2018-08-26T10:33:42+00:00 85eb2cb67611483cc13c9d16589b88a6cb9dd19d tree: accept null ids in existing trees when updating 
tree: accept null ids in existing trees when updating
 tree: rename from_tree to validate and clarify the tree in the test 2018-07-27T10:00:37+00:00 Carlos Martín Nieto cmn@dwim.me 2018-07-27T10:00:37+00:00 f00db9ed67423b04976f8d20b0de2ee1fb7c3993 






tree: accept null ids in existing trees when updating
2018-07-18T19:07:57+00:00

Carlos Martín Nieto
cmn@dwim.me

2018-07-18T19:04:13+00:00

2dff7e282da77f6b791e843ec267d9ddecabc187

When we add entries to a treebuilder we validate them. But we validate even
those that we're adding because they exist in the base tree. This disables
using the normal mechanisms on these trees, even to fix them.

Keep track of whether the entry we're appending comes from an existing tree and
bypass the name and id validation if it's from existing data.





When we add entries to a treebuilder we validate them. But we validate even
those that we're adding because they exist in the base tree. This disables
using the normal mechanisms on these trees, even to fix them.

Keep track of whether the entry we're appending comes from an existing tree and
bypass the name and id validation if it's from existing data.