config_file: properly ignore includes without "path" value

In case a configuration includes a key "include.path=" without any
value, the generated configuration entry will have its value set to
`NULL`. This is unexpected by the logic handling includes, and as soon
as we try to calculate the included path we will unconditionally
dereference that `NULL` pointer and thus segfault.

Fix the issue by returning early in both `parse_include` and
`parse_conditional_include` in case where the `file` argument is `NULL`.
Add a test to avoid future regression.

The issue has been found by the oss-fuzz project, issue 10810.

2 files changed, 14 insertions, 1 deletions

diff --git a/src/config_file.c b/src/config_file.c
index e8740d35f..57db97d8b 100644
--- a/src/config_file.c
+++ b/src/config_file.c
@@ -664,6 +664,9 @@ static int parse_include(git_config_parser *reader,
 	char *dir;
 	int result;
 
+	if (!file)
+		return 0;
+
 	if ((result = git_path_dirname_r(&path, reader->file->path)) < 0)
 		return result;
 
@@ -765,7 +768,7 @@ static int parse_conditional_include(git_config_parser *reader,
 	size_t i;
 	int error = 0, matches;
 
-	if (!parse_data->repo)
+	if (!parse_data->repo || !file)
 		return 0;
 
 	condition = git__substrdup(section + strlen("includeIf."),
diff --git a/tests/config/include.c b/tests/config/include.c
index ff8ac251c..bab59bcbe 100644
--- a/tests/config/include.c
+++ b/tests/config/include.c
@@ -87,6 +87,16 @@ void test_config_include__depth(void)
 	cl_git_pass(p_unlink("b"));
 }
 
+void test_config_include__empty_path_sanely_handled(void)
+{
+	cl_git_mkfile("a", "[include]\npath");
+	cl_git_pass(git_config_open_ondisk(&cfg, "a"));
+	cl_git_pass(git_config_get_string_buf(&buf, cfg, "include.path"));
+	cl_assert_equal_s("", git_buf_cstr(&buf));
+
+	cl_git_pass(p_unlink("a"));
+}
+
 void test_config_include__missing(void)
 {
 	cl_git_mkfile("including", "[include]\npath = nonexistentfile\n[foo]\nbar = baz");