<feed xmlns='http://www.w3.org/2005/Atom'>
<title>git/utf8.c, branch v2.20.2</title>
<subtitle>Mirror of https://git.kernel.org/pub/scm/git/git.git/
</subtitle>
<id>https://git.shady.money/git/atom?h=v2.20.2</id>
<link rel='self' href='https://git.shady.money/git/atom?h=v2.20.2'/>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/'/>
<updated>2018-08-15T22:08:25Z</updated>
<entry>
<title>Merge branch 'jk/size-t'</title>
<updated>2018-08-15T22:08:25Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2018-08-15T22:08:25Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=7d020f5a78a1ae7ff47d65a2adc79171c0cf9cb7'/>
<id>urn:sha1:7d020f5a78a1ae7ff47d65a2adc79171c0cf9cb7</id>
<content type='text'>
Code clean-up to use size_t/ssize_t when they are the right type.

* jk/size-t:
  strbuf_humanise: use unsigned variables
  pass st.st_size as hint for strbuf_readlink()
  strbuf_readlink: use ssize_t
  strbuf: use size_t for length in intermediate variables
  reencode_string: use size_t for string lengths
  reencode_string: use st_add/st_mult helpers
</content>
</entry>
<entry>
<title>reencode_string: use size_t for string lengths</title>
<updated>2018-07-24T17:19:29Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2018-07-24T10:50:33Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=c7d017d7e1cca37ca20f73c11fa9f1b319a2c3a5'/>
<id>urn:sha1:c7d017d7e1cca37ca20f73c11fa9f1b319a2c3a5</id>
<content type='text'>
The iconv interface takes a size_t, which is the appropriate
type for an in-memory buffer. But our reencode_string_*
functions use integers, meaning we may get confusing results
when the sizes exceed INT_MAX. Let's use size_t
consistently.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>reencode_string: use st_add/st_mult helpers</title>
<updated>2018-07-24T17:19:29Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2018-07-24T10:50:10Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=77aa03d6c7f07db4a5d34afe8f5b3a55e801057c'/>
<id>urn:sha1:77aa03d6c7f07db4a5d34afe8f5b3a55e801057c</id>
<content type='text'>
When converting a string with iconv, if the output buffer
isn't big enough, we grow it. But our growth is done without
any concern for integer overflow. So when we add:

  outalloc = sofar + insz * 2 + 32;

we may end up wrapping outalloc (which is a size_t), and
allocating a too-small buffer. We then manipulate it
further:

  outsz = outalloc - sofar - 1;

and feed outsz back to iconv. If outalloc is wrapped and
smaller than sofar, we'll end up with a small allocation but
feed a very large outsz to iconv, which could result in it
overflowing the buffer.

Can we use this to construct an attack wherein the victim
clones a repository with a very large commit object with an
encoding header, and running "git log" reencodes it into
utf8, causing an overflow?

An attack of this sort is likely impossible in practice.
"sofar" is how many output bytes we've written total, and
"insz" is the number of input bytes remaining. Imagine our
input doubles in size as we output it (which is easy to do
by converting latin1 to utf8, for example), and that we
start with N input bytes. Our initial output buffer also
starts at N bytes, so after the first call we'd have N/2
input bytes remaining (insz), and have written N bytes
(sofar). That means our next allocation will be
(N + N/2 * 2 + 32) bytes, or (2N + 32).

We can therefore overflow a 32-bit size_t with a commit
message that's just under 2^31 bytes, assuming it consists
mostly of "doubling" sequences (e.g., latin1 0xe1 which
becomes utf8 0xc3 0xa1).

But we'll never make it that far with such a message. We'll
be spending 2^31 bytes on the original string. And our
initial output buffer will also be 2^31 bytes. Which is not
going to succeed on a system with a 32-bit size_t, since
there will be other things using the address space, too. The
initial malloc will fail.

If we imagine instead that we can triple the size when
converting, then our second allocation becomes
(N + 2/3N * 2 + 32), or (7/3N + 32). That still requires two
allocations of 3/7 of our address space (6/7 of the total)
to succeed.

If we imagine we can quadruple, it becomes (5/2N + 32); we
need to be able to allocate 4/5 of the address space to
succeed.

This might start to get plausible. But is it possible to get
a 4-to-1 increase in size? Probably if you're converting to
some obscure encoding. But since git defaults to utf8 for
its output, that's the likely destination encoding for an
attack. And while there are 4-character utf8 sequences, it's
unlikely that you'd be able find a single-byte source
sequence in any encoding.

So this is certainly buggy code which should be fixed, but
it is probably not a useful attack vector.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>utf8.c: avoid char overflow</title>
<updated>2018-07-09T21:38:12Z</updated>
<author>
<name>Beat Bolli</name>
<email>dev+git@drbeat.li</email>
</author>
<published>2018-07-09T19:25:37Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=2b647a05d7223beacba076e45b3920a8621d28e7'/>
<id>urn:sha1:2b647a05d7223beacba076e45b3920a8621d28e7</id>
<content type='text'>
In ISO C, char constants must be in the range -128..127. Change the BOM
constants to char literals to avoid overflow.

Signed-off-by: Beat Bolli &lt;dev+git@drbeat.li&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>Sync with Git 2.17.1</title>
<updated>2018-05-29T08:10:05Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2018-05-29T08:09:58Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=7913f53b5628997165e075008d6142da1c04271a'/>
<id>urn:sha1:7913f53b5628997165e075008d6142da1c04271a</id>
<content type='text'>
* maint: (25 commits)
  Git 2.17.1
  Git 2.16.4
  Git 2.15.2
  Git 2.14.4
  Git 2.13.7
  fsck: complain when .gitmodules is a symlink
  index-pack: check .gitmodules files with --strict
  unpack-objects: call fsck_finish() after fscking objects
  fsck: call fsck_finish() after fscking objects
  fsck: check .gitmodules content
  fsck: handle promisor objects in .gitmodules check
  fsck: detect gitmodules files
  fsck: actually fsck blob data
  fsck: simplify ".git" check
  index-pack: make fsck error message more specific
  verify_path: disallow symlinks in .gitmodules
  update-index: stat updated files earlier
  verify_dotfile: mention case-insensitivity in comment
  verify_path: drop clever fallthrough
  skip_prefix: add case-insensitive variant
  ...
</content>
</entry>
<entry>
<title>Sync with Git 2.14.4</title>
<updated>2018-05-22T05:15:14Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2018-05-22T05:15:14Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=9e0f06d55df5855178ff41342937943604f6e97c'/>
<id>urn:sha1:9e0f06d55df5855178ff41342937943604f6e97c</id>
<content type='text'>
* maint-2.14:
  Git 2.14.4
  Git 2.13.7
  verify_path: disallow symlinks in .gitmodules
  update-index: stat updated files earlier
  verify_dotfile: mention case-insensitivity in comment
  verify_path: drop clever fallthrough
  skip_prefix: add case-insensitive variant
  is_{hfs,ntfs}_dotgitmodules: add tests
  is_ntfs_dotgit: match other .git files
  is_hfs_dotgit: match other .git files
  is_ntfs_dotgit: use a size_t for traversing string
  submodule-config: verify submodule names as paths
</content>
</entry>
<entry>
<title>is_hfs_dotgit: match other .git files</title>
<updated>2018-05-22T03:50:11Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2018-05-02T19:23:45Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=0fc333ba20b43a8afee5023e92cb3384ff4e59a6'/>
<id>urn:sha1:0fc333ba20b43a8afee5023e92cb3384ff4e59a6</id>
<content type='text'>
Both verify_path() and fsck match ".git", ".GIT", and other
variants specific to HFS+. Let's allow matching other
special files like ".gitmodules", which we'll later use to
enforce extra restrictions via verify_path() and fsck.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
</content>
</entry>
<entry>
<title>Merge branch 'ls/checkout-encoding'</title>
<updated>2018-05-08T06:59:22Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2018-05-08T06:59:22Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=1ac0ce4d32ab7a3546e7e84a562625576208c7db'/>
<id>urn:sha1:1ac0ce4d32ab7a3546e7e84a562625576208c7db</id>
<content type='text'>
The new "checkout-encoding" attribute can ask Git to convert the
contents to the specified encoding when checking out to the working
tree (and the other way around when checking in).

* ls/checkout-encoding:
  convert: add round trip check based on 'core.checkRoundtripEncoding'
  convert: add tracing for 'working-tree-encoding' attribute
  convert: check for detectable errors in UTF encodings
  convert: add 'working-tree-encoding' attribute
  utf8: add function to detect a missing UTF-16/32 BOM
  utf8: add function to detect prohibited UTF-16/32 BOM
  utf8: teach same_encoding() alternative UTF encoding names
  strbuf: add a case insensitive starts_with()
  strbuf: add xstrdup_toupper()
  strbuf: remove unnecessary NUL assignment in xstrdup_tolower()
</content>
</entry>
<entry>
<title>utf8: add function to detect a missing UTF-16/32 BOM</title>
<updated>2018-04-16T02:40:56Z</updated>
<author>
<name>Lars Schneider</name>
<email>larsxschneider@gmail.com</email>
</author>
<published>2018-04-15T18:16:06Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=c6e48652f69f6955bbbb423100e0df2a49467db8'/>
<id>urn:sha1:c6e48652f69f6955bbbb423100e0df2a49467db8</id>
<content type='text'>
If the endianness is not defined in the encoding name, then let's
be strict and require a BOM to avoid any encoding confusion. The
is_missing_required_utf_bom() function returns true if a required BOM
is missing.

The Unicode standard instructs to assume big-endian if there in no BOM
for UTF-16/32 [1][2]. However, the W3C/WHATWG encoding standard used
in HTML5 recommends to assume little-endian to "deal with deployed
content" [3]. Strictly requiring a BOM seems to be the safest option
for content in Git.

This function is used in a subsequent commit.

[1] http://unicode.org/faq/utf_bom.html#gen6
[2] http://www.unicode.org/versions/Unicode10.0.0/ch03.pdf
     Section 3.10, D98, page 132
[3] https://encoding.spec.whatwg.org/#utf-16le

Signed-off-by: Lars Schneider &lt;larsxschneider@gmail.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>utf8: add function to detect prohibited UTF-16/32 BOM</title>
<updated>2018-04-16T02:40:56Z</updated>
<author>
<name>Lars Schneider</name>
<email>larsxschneider@gmail.com</email>
</author>
<published>2018-04-15T18:16:05Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=10ecb82e4f1f507d5f122e00fd4829b30953f853'/>
<id>urn:sha1:10ecb82e4f1f507d5f122e00fd4829b30953f853</id>
<content type='text'>
Whenever a data stream is declared to be UTF-16BE, UTF-16LE, UTF-32BE
or UTF-32LE a BOM must not be used [1]. The function returns true if
this is the case.

This function is used in a subsequent commit.

[1] http://unicode.org/faq/utf_bom.html#bom10

Signed-off-by: Lars Schneider &lt;larsxschneider@gmail.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
</feed>
