Mirror of https://git.kernel.org/pub/scm/git/git.git/ https://git.shady.money/git/atom?h=v2.9.2 2016-05-09T19:29:08Z 2016-05-09T19:29:08Z Nguyễn Thái Ngọc Duy pclouds@gmail.com 2016-05-08T09:47:36Z urn:sha1:4b94ec9b200e9bafc5fd2c9c4e8b7e7934d60c00 Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2016-02-22T22:51:09Z Jeff King peff@peff.net 2016-02-22T22:44:35Z urn:sha1:50a6c8efa2bbeddf46ca34c7765024108202e04b If our size computation overflows size_t, we may allocate a much smaller buffer than we expected and overflow it. It's probably impossible to trigger an overflow in most of these sites in practice, but it is easy enough convert their additions and multiplications into overflow-checking variants. This may be fixing real bugs, and it makes auditing the code easier. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2016-02-22T22:51:09Z Jeff King peff@peff.net 2016-02-22T22:44:32Z urn:sha1:96ffc06f72f693d80f05059a1f0e5ca9007d5f1b Using FLEX_ARRAY macros reduces the amount of manual computation size we have to do. It also ensures we don't overflow size_t, and it makes sure we write the same number of bytes that we allocated. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2016-02-22T22:51:09Z Jeff King peff@peff.net 2016-02-22T22:44:28Z urn:sha1:3733e6946465d4a3a1d89026a5ec911d3af339ab We frequently allocate strings as xmalloc(len + 1), where the extra 1 is for the NUL terminator. This can be done more simply with xmallocz, which also checks for integer overflow. There's no case where switching xmalloc(n+1) to xmallocz(n) is wrong; the result is the same length, and malloc made no guarantees about what was in the buffer anyway. But in some cases, we can stop manually placing NUL at the end of the allocated buffer. But that's only safe if it's clear that the contents will always fill the buffer. In each case where this patch does so, I manually examined the control flow, and I tried to err on the side of caution. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2016-02-22T22:51:09Z Jeff King peff@peff.net 2016-02-22T22:44:25Z urn:sha1:b32fa95fd8293ebfecb2b7b6c8d460579318f9fe Each of these cases can be converted to use ALLOC_ARRAY or REALLOC_ARRAY, which has two advantages: 1. It automatically checks the array-size multiplication for overflow. 2. It always uses sizeof(*array) for the element-size, so that it can never go out of sync with the declared type of the array. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2015-11-20T13:02:05Z brian m. carlson sandals@crustytoothpaste.net 2015-11-10T02:22:29Z urn:sha1:ed1c9977cb1b63e4270ad8bdf967a2d02580aa08 Convert all instances of get_object_hash to use an appropriate reference to the hash member of the oid member of struct object. This provides no functional change, as it is essentially a macro substitution. Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net> Signed-off-by: Jeff King <peff@peff.net> 2015-11-20T13:02:05Z brian m. carlson sandals@crustytoothpaste.net 2015-11-10T02:22:27Z urn:sha1:7999b2cf772956466baa8925491d6fb1b0963292 Convert most instances where the sha1 member of struct object is dereferenced to use get_object_hash. Most instances that are passed to functions that have versions taking struct object_id, such as get_sha1_hex/get_oid_hex, or instances that can be trivially converted to use struct object_id instead, are not converted. Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net> Signed-off-by: Jeff King <peff@peff.net> 2015-09-28T22:33:56Z Junio C Hamano gitster@pobox.com 2015-09-28T22:33:56Z urn:sha1:11a458befcd7662fbe6d2d53c76d49ae2b0fe219 2015-09-28T22:28:31Z Junio C Hamano gitster@pobox.com 2015-09-28T22:28:26Z urn:sha1:6343e2f6f271cf344ea8e7384342502faecaf37c 2015-09-28T21:57:10Z Jeff King peff@peff.net 2015-09-24T23:12:23Z urn:sha1:3efb988098858bf6b974b1e673a190f9d2965d1d When we call into xdiff to perform a diff, we generally lose the return code completely. Typically by ignoring the return of our xdi_diff wrapper, but sometimes we even propagate that return value up and then ignore it later. This can lead to us silently producing incorrect diffs (e.g., "git log" might produce no output at all, not even a diff header, for a content-level diff). In practice this does not happen very often, because the typical reason for xdiff to report failure is that it malloc() failed (it uses straight malloc, and not our xmalloc wrapper). But it could also happen when xdiff triggers one our callbacks, which returns an error (e.g., outf() in builtin/rerere.c tries to report a write failure in this way). And the next patch also plans to add more failure modes. Let's notice an error return from xdiff and react appropriately. In most of the diff.c code, we can simply die(), which matches the surrounding code (e.g., that is what we do if we fail to load a file for diffing in the first place). This is not that elegant, but we are probably better off dying to let the user know there was a problem, rather than simply generating bogus output. We could also just die() directly in xdi_diff, but the callers typically have a bit more context, and can provide a better message (and if we do later decide to pass errors up, we're one step closer to doing so). There is one interesting case, which is in diff_grep(). Here if we cannot generate the diff, there is nothing to match, and we silently return "no hits". This is actually what the existing code does already, but we make it a little more explicit. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>