| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The function `git_diff_find_similar` keeps a function of cache
similarity metrics signatures, whose size depends on the number of
deltas passed in via the `diff` parameter. In case where the diff is
empty and thus doesn't have any deltas at all, we may end up allocating
this cache via a call to `git__calloc(0, sizeof(void *))`. At least on
AIX, allocating 0 bytes will result in a `NULL` pointer being returned,
which causes us to erroneously return an OOM error.
Fix this situation by simply returning early in case where we are being
passed an empty diff, as we cannot find any similarities in that case
anyway.
(cherry picked from commit c65568d8c8c1bf4920393190e862819cd263f439)
|
| |
| |
| |
| | |
(cherry picked from commit 6698e0562d0f782903f28c224c879da7c2abf674)
|
| |
| |
| |
| | |
(cherry picked from commit f140950066cf2989912e18ad92ec088f624b8bf2)
|
| |
| |
| |
| | |
(cherry picked from commit ec76a1aa43321db2451e747d7a4408e780991c4a)
|
| |
| |
| |
| | |
(cherry picked from commit 019409be004fb73071415750e98db03d33fada47)
|
| |
| |
| |
| | |
(cherry picked from commit c4d7fa951acd066fd80d83954dd6082c1c7e9e1e)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
String operations in libgit2 are supposed to never receive `NULL`, e.g.
they are not `NULL`-save. In the case of `git__linenlen()`, invocation
with `NULL` leads to undefined behavior.
In a `git_parse_ctx` however, the `content` field used in these
operations was initialized to `NULL` if the `git_parse_ctx_init()` was
called with `NULL` for `content` or `0` for `content_len`. For the
latter case, the initialization function even contained some logic for
initializing `content` with `NULL`.
This commit mitigates triggering undefined behavior by rewriting the
logic. Now `content` is always initialized to a non-null buffer. Instead
of a null buffer, an empty string is used for denoting an empty buffer.
(cherry picked from commit d1bfe614aa20a0bdaf76c6d418176320ab11baf4)
|
| |
| |
| |
| | |
(cherry picked from commit f00db9ed67423b04976f8d20b0de2ee1fb7c3993)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When we add entries to a treebuilder we validate them. But we validate even
those that we're adding because they exist in the base tree. This disables
using the normal mechanisms on these trees, even to fix them.
Keep track of whether the entry we're appending comes from an existing tree and
bypass the name and id validation if it's from existing data.
(cherry picked from commit 2dff7e282da77f6b791e843ec267d9ddecabc187)
|
| |
| |
| |
| | |
(cherry picked from commit f9e28026753f7b6c871a160ad584b2dc2639d30f)
|
| | |
|
|/
|
|
|
|
|
| |
We were previously conflating any error into GIT_ENOTFOUND, which might
or might not be correct. This fixes the code so a config error is
bubbled up, as well as preserving the semantics in the face of
worktree-repositories
|
|\
| |
| | |
Release v0.27.6
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The commit message encoding is currently being parsed by the
`git__prefixcmp` function. As this function does not accept a buffer
length, it will happily skip over a buffer's end if it is not `NUL`
terminated.
Fix the issue by using `git__prefixncmp` instead. Add a test that
verifies that we are unable to parse the encoding field if it's cut off
by the supplied buffer length.
(cherry picked from commit 7655b2d89e8275853d9921dd903dcdad9b3d4a7b)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When parsing tags, we skip all unknown fields that appear before the tag
message. This skipping is done by using a plain `strstr(buffer, "\n\n")`
to search for the two newlines that separate tag fields from tag
message. As it is not possible to supply a buffer length to `strstr`,
this call may skip over the buffer's end and thus result in an out of
bounds read. As `strstr` may return a pointer that is out of bounds, the
following computation of `buffer_end - buffer` will overflow and result
in an allocation of an invalid length.
Fix the issue by using `git__memmem` instead. Add a test that verifies
parsing the tag fails not due to the allocation failure but due to the
tag having no message.
(cherry picked from commit ee11d47e3d907b66eeff99e0ba1e1c71e05164b7)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Unfortunately, neither the `memmem` nor the `strnstr` functions are part
of any C standard but are merely extensions of C that are implemented by
e.g. glibc. Thus, there is no standardized way to search for a string in
a block of memory with a limited size, and using `strstr` is to be
considered unsafe in case where the buffer has not been sanitized. In
fact, there are some uses of `strstr` in exactly that unsafe way in our
codebase.
Provide a new function `git__memmem` that implements the `memmem`
semantics. That is in a given haystack of `n` bytes, search for the
occurrence of a byte sequence of `m` bytes and return a pointer to the
first occurrence. The implementation chosen is the "Not So Naive"
algorithm from [1]. It was chosen as the implementation is comparably
simple while still being reasonably efficient in most cases.
Preprocessing happens in constant time and space, searching has a time
complexity of O(n*m) with a slightly sub-linear average case.
[1]: http://www-igm.univ-mlv.fr/~lecroq/string/
(cherry picked from commit 83e8a6b36acc67f2702cbbc7d4e334c7f7737719)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When an integer that is parsed with `git__strntol32` is too big to fit
into an int32, we will generate an error message that includes the
actual string that failed to parse. This does not acknowledge the fact
that the string may either not be NUL terminated or alternative include
additional characters after the number that is to be parsed. We may thus
end up printing characters into the buffer that aren't the number or,
worse, read out of bounds.
Fix the issue by utilizing the `endptr` that was set by
`git__strntol64`. This pointer is guaranteed to be set to the first
character following the number, and we can thus use it to compute the
width of the number that shall be printed. Create a test to verify that
we correctly truncate the number.
(cherry picked from commit ea19efc19fa683d632af3e172868bc4350724813)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
While `git__strntol64` tries to detect integer overflows when doing the
necessary arithmetics to come up with the final result, it does the
detection only after the fact. This check thus relies on undefined
behavior of signed integer overflows. Fix this by instead checking
up-front whether the multiplications or additions will overflow.
Note that a detected overflow will not cause us to abort parsing the
current sequence of digits. In the case of an overflow, previous
behavior was to still set up the end pointer correctly to point to the
first character immediately after the currently parsed number. We do not
want to change this now as code may rely on the end pointer being set up
correctly even if the parsed number is too big to be represented as
64 bit integer.
(cherry picked from commit b09c1c7b636c4112e247adc24245c65f3f9478d0)
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Some edge cases were currently completely untested, e.g. parsing numbers
greater than INT64_{MIN,MAX}, truncating buffers by length and invalid
characters. Add tests to verify that the system under test performs as
expected.
(cherry picked from commit 39087ab8ef77004c9f3b8984c38a834a6cb238bc)
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The function `git__strtol32` can easily be misused when untrusted data
is passed to it that may not have been sanitized with trailing `NUL`
bytes. As all usages of this function have now been removed, we can
remove this function altogether to avoid future misuse of it.
(cherry picked from commit 8d7fa88a9d5011b653035497b0f523e0f177b6a6)
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Replace remaining uses of the `git__strtol32` function. While these uses
are all safe as the strings were either sanitized or from a trusted
source, we want to remove `git__strtol32` altogether to avoid future
misuse.
(cherry picked from commit 2613fbb26a3e1a34dda8a5d198c108626cfd6cc3)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We use the `git__strtol32` function to parse the child and entry count
of treecaches from the index, which do not accept a buffer length. As
the buffer that is being passed in is untrusted data and may thus be
malformed and may not contain a terminating `NUL` byte, we can overrun
the buffer and thus perform an out-of-bounds read.
Fix the issue by uzing `git__strntol32` instead.
(cherry picked from commit 21652ee9de439e042cc2e69b208aa2ef8ce31147)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The function `git__strtol64` does not take a maximum buffer length as
parameter. This has led to some unsafe usages of this function, and as
such we may consider it as being unsafe to use. As we have now
eradicated all usages of this function, let's remove it completely to
avoid future misuse.
(cherry picked from commit 68deb2cc80ef19bf3a1915c26b5308b283a6d69a)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When parsing integers from configuration values, we use `git__strtol64`.
This is fine to do, as we always sanitize values and can thus be sure
that they'll have a terminating `NUL` byte. But as this is the last
call-site of `git__strtol64`, let's just pass in the length explicitly
by calling `strlen` on the value to be able to remove `git__strtol64`
altogether.
(cherry picked from commit 1a2efd10bde66f798375e2f47ba57ef00ad5c193)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We use `git__strtol64` and `git__strtol32` to parse the trailing commit
or author date and timezone of signatures. As signatures are usually
part of a commit or tag object and thus essentially untrusted data, the
buffer may be misformatted and may not be `NUL` terminated. This may
lead to an out-of-bounds read.
Fix the issue by using `git__strntol64` and `git__strntol32` instead.
(cherry picked from commit 3db9aa6f79711103a331a2bbbd044a3c37d4f136)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We use `git__strtol64` to parse file modes of the index entries, which
does not limit the parsed buffer length. As the index can be essentially
treated as "untrusted" in that the data stems from the file system, it
may be misformatted and may not contain terminating `NUL` bytes. This
may lead to out-of-bounds reads when trying to parse index entries with
such malformatted modes.
Fix the issue by using `git__strntol64` instead.
(cherry picked from commit 600ceadd1426b874ae0618651210a690a68b27e9)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When quick-parsing a commit, we use `git__strtol64` to parse the
commit's time. The buffer that's passed to `commit_quick_parse` is the
raw data of an ODB object, though, whose data may not be properly
formatted and also does not have to be `NUL` terminated. This may lead
to out-of-bound reads.
Use `git__strntol64` to avoid this problem.
(cherry picked from commit 1a3fa1f5fafd433bdcf1834426d6963eff532125)
|
| |
| |
| |
| |
| |
| |
| | |
Before resetting the url and username, ensure that we free them in case
they were set by environment variables.
(cherry picked from commit e84914fd30edc6702e368c8ccfc77dc5607c213c)
|
| |
| |
| |
| |
| |
| | |
Don't just free the spec vector, also free the specs themselves.
(cherry picked from commit d285de73f9a09bc841b329267d1f61b9c03a7b68)
|
| |
| |
| |
| |
| |
| |
| | |
Don't just free the push status structure, actually free the strings that were
strdup'd into the struct as well.
(cherry picked from commit dad9988121521ccc2ffff39299ca98dba160b857)
|
| |
| |
| |
| |
| |
| | |
Free the url field when resetting the stream to avoid leaking it.
(cherry picked from commit ca2eb4608243162a13c427e74526b6422d5a6659)
|
| |
| |
| |
| |
| |
| |
| |
| | |
PowerShell can _read_ top-level variables in functions, but cannot _update_
top-level variables in functions unless they're explicitly prefixed with
`$global`.
(cherry picked from commit 0e26717a57169d1222bdebef3f0caa728fd85b75)
|
| |
| |
| |
| |
| |
| | |
Don't stop on test failures; run all the tests, even when a test fails.
(cherry picked from commit 429c7f1141f812d266cfd7d33a142871c21f8874)
|
| |
| |
| |
| |
| |
| |
| |
| | |
Similar to the way we parse the ctest output on POSIX systems, do the
same on Windows. This allows us to append the `-r` flag to clar after
we've identified the command to run.
(cherry picked from commit 7c9769d94799c7bc6341d64e18bbd13bc8993ad6)
|
| |
| |
| |
| |
| |
| |
| | |
Introduce SKIP_*_TEST variables for Windows builds to match POSIX
builds.
(cherry picked from commit a8301b0c19cc738961604a14b7e132b2b97e064c)
|
| |
| |
| |
| |
| |
| | |
Add the clar flags to produce JUnit-style XML output before invocation.
(cherry picked from commit fff33a1b65994e1f781f73d06e22d3f8778eff02)
|
| |
| |
| |
| |
| |
| |
| | |
This reverts commit a2d73f5643814cddf90d5bf489332e14ada89ab8.
Using clar to propagate the XML settings was a mistake.
(cherry picked from commit 943181c2efe20b705aa40d30197693e7a4c1d0ac)
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Our CI test system invokes ctest with the name of the given tests it
wishes to invoke. ctest (with the `-R` flag) treats this name as a
regular expression. Provide anchors in the regular expression to avoid
matching additional tests in this search.
(cherry picked from commit 7e353b7a140dade32f1f1db6afd1721cf2c18a4a)
|
| |
| |
| |
| |
| |
| |
| | |
Visual Studio Team Services is now a family of applications named "Azure
DevOps". Update the README to refer to it thusly.
(cherry picked from commit e2613039b34b9f119ca948c70ba75dd93dc1803f)
|
| |
| |
| |
| |
| |
| |
| | |
VSTS is now a family of components; "Azure Pipelines" is the build and
release pipeline application.
(cherry picked from commit 464305b74e87bd008cb9b18af632844f16806327)
|
| |
| |
| |
| | |
(cherry picked from commit d7d0139eb3ef9d306d0229223092a9cac7da1db5)
|
| |
| |
| |
| |
| |
| |
| |
| | |
Instead of trying to have a clever iterator pattern that increments the
error number, just iterate over errors in the report errors or report
all functions as it's easier to reason about in this fashion.
(cherry picked from commit d17e67d08d6e73dbf0daeae5049f92a38c2d8bb6)
|
| |
| |
| |
| |
| |
| |
| | |
Windows lacks %F and %T formats for strftime. Expand them to the
year/month/day and hour/minute/second formats, respectively.
(cherry picked from commit e595eeb5ab88142b97798ed65e651de6560515e9)
|
| |
| |
| |
| |
| |
| |
| | |
Our build YAML is becoming unweildly and full of copy-pasta. Simplify
with templates.
(cherry picked from commit 6b2d8f09bc9e5bdf74f98b7470ebc39436be600f)
|
| |
| |
| |
| |
| |
| |
| | |
Explicitly run from the build directory, not the source. (I was
mistaken about the default working directory for VSTS agents.)
(cherry picked from commit 306875bc1c0c4cf82a4feb9436d161750c3f0aad)
|
| |
| |
| |
| |
| |
| |
| | |
CMake treats backslashes as escape characters; use forward slashes for
the XML output path.
(cherry picked from commit f3f2c45ee6d8f46692ebcc71f2ee688868629830)
|
| |
| |
| |
| | |
(cherry picked from commit bfcbde5009db3175cb924687d9273e6f7c5aa1b7)
|
| |
| |
| |
| | |
(cherry picked from commit a84863fc8dfa51cafc1223181e17003383889350)
|