Mirror of https://git.kernel.org/pub/scm/git/git.git/ https://git.shady.money/git/atom?h=v2.40.2 2022-12-13T12:23:36Z 2022-12-13T12:23:36Z Junio C Hamano gitster@pobox.com 2022-12-13T12:23:36Z urn:sha1:fea9f607a88dc43e479c7c9105663f28b8a0deb9 2022-12-13T12:17:10Z Junio C Hamano gitster@pobox.com 2022-12-13T12:17:10Z urn:sha1:fbabbc30e7bf3dee054ac74105d765fb0ec61893 2022-12-13T12:15:22Z Junio C Hamano gitster@pobox.com 2022-12-13T12:15:22Z urn:sha1:3748b5b7f5648b007dc3743e918ce5eaf44ee6fc 2022-12-13T12:13:11Z Junio C Hamano gitster@pobox.com 2022-12-13T12:13:11Z urn:sha1:5f22dcc02df6e69145489c8bec6872e9452688b8 2022-12-13T12:09:40Z Junio C Hamano gitster@pobox.com 2022-12-13T12:09:40Z urn:sha1:8a755eddf5bf256613bc584f32cd44401a25897c 2022-12-13T12:02:20Z Junio C Hamano gitster@pobox.com 2022-12-13T12:02:20Z urn:sha1:16128765d70f1375bcde3f27f51f85492b176a59 2022-12-09T05:26:21Z Patrick Steinhardt ps@pks.im 2022-12-01T14:47:23Z urn:sha1:304a50adff6480ede46b68f7545baab542cbfb46 Both the padding and wrapping formatting directives allow the caller to specify an integer that ultimately leads to us adding this many chars to the result buffer. As a consequence, it is trivial to e.g. allocate 2GB of RAM via a single formatting directive and cause resource exhaustion on the machine executing this logic. Furthermore, it is debatable whether there are any sane usecases that require the user to pad data to 2GB boundaries or to indent wrapped data by 2GB. Restrict the input sizes to 16 kilobytes at a maximum to limit the amount of bytes that can be requested by the user. This is not meant as a fix because there are ways to trivially amplify the amount of data we generate via formatting directives; the real protection is achieved by the changes in previous steps to catch and avoid integer wraparound that causes us to under-allocate and access beyond the end of allocated memory reagions. But having such a limit significantly helps fuzzing the pretty format, because the fuzzer is otherwise quite fast to run out-of-memory as it discovers these formatters. Signed-off-by: Patrick Steinhardt <ps@pks.im> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-12-09T05:26:21Z Patrick Steinhardt ps@pks.im 2022-12-01T14:46:53Z urn:sha1:522cc87fdc25449222a5894a428eebf4b8d5eaa9 The `utf8_strnwidth()` function accepts an optional string length as input parameter. This parameter can either be set to `-1`, in which case we call `strlen()` on the input. Or it can be set to a positive integer that indicates a precomputed length, which callers typically compute by calling `strlen()` at some point themselves. The input parameter is an `int` though, whereas `strlen()` returns a `size_t`. This can lead to implementation-defined behaviour though when the `size_t` cannot be represented by the `int`. In the general case though this leads to wrap-around and thus to negative string sizes, which is sure enough to not lead to well-defined behaviour. Fix this by accepting a `size_t` instead of an `int` as string length. While this takes away the ability of callers to simply pass in `-1` as string length, it really is trivial enough to convert them to instead pass in `strlen()` instead. Signed-off-by: Patrick Steinhardt <ps@pks.im> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-12-09T05:26:21Z Patrick Steinhardt ps@pks.im 2022-12-01T14:46:49Z urn:sha1:48050c42c73c28b0c001d63d11dffac7e116847b The `%w(width,indent1,indent2)` formatting directive can be used to rewrap text to a specific width and is designed after git-shortlog(1)'s `-w` parameter. While the three parameters are all stored as `size_t` internally, `strbuf_add_wrapped_text()` accepts integers as input. As a result, the casted integers may overflow. As these now-negative integers are later on passed to `strbuf_addchars()`, we will ultimately run into implementation-defined behaviour due to casting a negative number back to `size_t` again. On my platform, this results in trying to allocate 9000 petabyte of memory. Fix this overflow by using `cast_size_t_to_int()` so that we reject inputs that cannot be represented as an integer. Signed-off-by: Patrick Steinhardt <ps@pks.im> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-12-09T05:26:21Z Patrick Steinhardt ps@pks.im 2022-12-01T14:46:39Z urn:sha1:1de69c0cdd388b0a5b7bdde0bfa0bda514a354b0 When a formatting directive has a `+` or ` ` after the `%`, then we add either a line feed or space if the placeholder expands to a non-empty string. In specific cases though this logic doesn't work as expected, and we try to add the character even in the case where the formatting directive is empty. One such pattern is `%w(1)%+d%+w(2)`. `%+d` expands to reference names pointing to a certain commit, like in `git log --decorate`. For a tagged commit this would for example expand to `\n (tag: v1.0.0)`, which has a leading newline due to the `+` modifier and a space added by `%d`. Now the second wrapping directive will cause us to rewrap the text to `\n(tag:\nv1.0.0)`, which is one byte shorter due to the missing leading space. The code that handles the `+` magic now notices that the length has changed and will thus try to insert a leading line feed at the original posititon. But as the string was shortened, the original position is past the buffer's boundary and thus we die with an error. Now there are two issues here: 1. We check whether the buffer length has changed, not whether it has been extended. This causes us to try and add the character past the string boundary. 2. The current logic does not make any sense whatsoever. When the string got expanded due to the rewrap, putting the separator into the original position is likely to put it somewhere into the middle of the rewrapped contents. It is debatable whether `%+w()` makes any sense in the first place. Strictly speaking, the placeholder never expands to a non-empty string, and consequentially we shouldn't ever accept this combination. We thus fix the bug by simply refusing `%+w()`. Signed-off-by: Patrick Steinhardt <ps@pks.im> Signed-off-by: Junio C Hamano <gitster@pobox.com>