|
014d4955
|
2019-02-20T15:30:11
|
|
apply: prevent OOB read when parsing source buffer
When parsing the patch image from a string, we split the string
by newlines to get a line-based view of it. To split, we use
`memchr` on the buffer and limit the buffer length by the
original length provided by the caller. This works just fine for
the first line, but for every subsequent line we need to actually
subtract the amount of bytes that we have already read.
The above issue can be easily triggered by having a source buffer
with at least two lines, where the second line does _not_ end in
a newline. Given a string "foo\nb", we have an original length of
five bytes. After having extracted the first line, we will point
to 'b' and again try to `memchr(p, '\n', 5)`, resulting in an
out-of-bounds read of four bytes.
Fix the issue by correctly subtracting the amount of bytes
already read.
|
|
1a107fac
|
2019-02-02T10:25:54
|
|
Merge pull request #4970 from libgit2/ethomson/0_28
v0.28 rc1
|
|
3fe29c4d
|
2019-01-31T19:10:03
|
|
version: 0.28
|
|
63f96cd0
|
2019-01-31T19:09:42
|
|
changelog: this is 0.28
|
|
214457c6
|
2019-01-31T18:51:36
|
|
Merge pull request #4968 from tiennou/fix/documentation
Docs
|
|
6853a250
|
2019-01-31T14:46:21
|
|
Merge branch 'pks/stream-truncated-writes'
|
|
75918aba
|
2019-01-23T14:43:54
|
|
mbedtls: make global variables static
The mbedtls stream implementation makes use of some global variables
which are not marked as `static`, even though they're only used in this
compilation unit. Fix this and remove a duplicate declaration.
|
|
0ceac0d0
|
2019-01-23T14:45:19
|
|
mbedtls: fix potential size overflow when reading or writing data
The mbedtls library uses a callback mechanism to allow downstream users
to plug in their own receive and send functions. We implement `bio_read`
and `bio_write` functions, which simply wrap the `git_stream_read` and
`git_stream_write` functions, respectively.
The problem arises due to the return value of the callback functions:
mbedtls expects us to return an `int` containing the actual number of
bytes that were read or written. But this is in fact completely
misdesigned, as callers are allowed to pass in a buffer with length
`SIZE_MAX`. We thus may be unable to represent the number of bytes
written via the return value.
Fix this by only ever reading or writing at most `INT_MAX` bytes.
|
|
657197e6
|
2019-01-23T15:54:05
|
|
openssl: fix potential size overflow when writing data
Our `openssl_write` function calls `SSL_write` by passing in both `data`
and `len` arguments directly. Thing is, our `len` parameter is of type
`size_t` and theirs is of type `int`. We thus need to clamp our length
to be at most `INT_MAX`.
|
|
7613086d
|
2019-01-23T15:49:28
|
|
streams: handle short writes only in generic stream
Now that the function `git_stream__write_full` exists and callers of
`git_stream_write` have been adjusted, we can lift logic for short
writes out of the stream implementations. Instead, this is now handled
either by `git_stream__write_full` or by callers of `git_stream_write`
directly.
|
|
5265b31c
|
2019-01-23T15:00:20
|
|
streams: fix callers potentially only writing partial data
Similar to the write(3) function, implementations of `git_stream_write`
do not guarantee that all bytes are written. Instead, they return the
number of bytes that actually have been written, which may be smaller
than the total number of bytes. Furthermore, due to an interface design
issue, we cannot ever write more than `SSIZE_MAX` bytes at once, as
otherwise we cannot represent the number of bytes written to the caller.
Unfortunately, no caller of `git_stream_write` ever checks the return
value, except to verify that no error occurred. Due to this, they are
susceptible to the case where only partial data has been written.
Fix this by introducing a new function `git_stream__write_full`. In
contrast to `git_stream_write`, it will always return either success or
failure, without returning the number of bytes written. Thus, it is able
to write all `SIZE_MAX` bytes and loop around `git_stream_write` until
all data has been written. Adjust all callers except the BIO callbacks
in our mbedtls and OpenSSL streams, which already do the right thing and
require the amount of bytes written.
|
|
193e7ce9
|
2019-01-23T15:42:07
|
|
streams: make file-local functions static
The callback functions that implement the `git_stream` structure are
only used inside of their respective implementation files, but they are
not marked as `static`. Fix this.
|
|
9fd9126e
|
2019-01-30T21:19:18
|
|
docs: minor changes
|
|
2f1d6eff
|
2019-01-30T19:59:43
|
|
Merge pull request #4954 from tiennou/fix/documentation
Documentation fixes
|
|
cf14215d
|
2019-01-28T12:41:22
|
|
Merge pull request #4964 from libgit2/ethomson/ci_nightly
ci: add an individual coverity pipeline
|
|
52a97eed
|
2019-01-28T12:16:50
|
|
ci: add coverity badge to the README
|
|
0cf5b6b1
|
2019-01-28T10:48:49
|
|
ci: ignore coverity failures in nightly runs
Coverity is back but it's only read-only! Agh. Just allow it to fail
and not impact the overall job run.
|
|
690e55e0
|
2019-01-04T19:09:42
|
|
repo: split git_repository_open_flag_t options documentation inline
|
|
f6412c26
|
2019-01-15T13:35:41
|
|
transport: enhance documentation
|
|
2964fed0
|
2019-01-15T13:30:42
|
|
docs: document GIT_EUSER/GIT_EPASSTHROUGH
|
|
9e4d421e
|
2019-01-15T11:32:13
|
|
doc: clarify that git_time_t is seconds from the epoch
|
|
e9a34864
|
2019-01-27T22:47:09
|
|
Merge pull request #4961 from libgit2/ethomson/ci_docurium
ci: run docurium to create documentation
|
|
92b52f36
|
2019-01-27T22:46:53
|
|
Merge pull request #4962 from libgit2/ethomson/ci_nightly
ci: return coverity to the nightlies
|
|
08d71f72
|
2019-01-27T22:46:07
|
|
ci: return coverity to the nightlies
|
|
b1e28625
|
2019-01-26T19:43:33
|
|
Merge pull request #4950 from libgit2/ethomson/warnings
Clean up some warnings
|
|
f56634f8
|
2019-01-26T19:40:19
|
|
Merge pull request #4869 from libgit2/ethomson/ci_nightly
Nightlies: use `latest` docker images
|
|
ace20c6a
|
2019-01-26T16:59:32
|
|
ci: run docurium to create documentation
Run docurium as part of the build. The goal of this is to be able to
evaluate the documentation in a given pull request; as such, this does
not implement any sort of deployment pipeline.
This will allow us to download a snapshot of the documentation from the
CI build and evaluate the docs for a particular pull request; before
it's been merged.
|
|
4a798a91
|
2018-10-28T17:57:53
|
|
nightly: use latest images, not test images
|
|
751eb462
|
2019-01-21T11:20:18
|
|
delta: validate sizes and cast safely
Quiet down a warning from MSVC about how we're potentially losing data.
Validate that our data will fit into the type provided then cast.
|
|
4947216f
|
2019-01-21T11:11:27
|
|
git transport: only write INT_MAX bytes
The transport code returns an `int` with the number of bytes written;
thus only attempt to write at most `INT_MAX`.
|
|
a861839d
|
2019-01-21T10:55:59
|
|
windows: add SSIZE_MAX
Windows doesn't include ssize_t or its _MAX value by default. We are
already declaring ssize_t as SSIZE_T, which is __int64_t on Win64 and
long otherwise. Include its _MAX value as a correspondence to its type.
|
|
f1986a23
|
2019-01-21T09:56:23
|
|
streams: don't write more than SSIZE_MAX
Our streams implementation takes a `size_t` that indicates the length of
the data buffer to be written, and returns an `ssize_t` that indicates
the length that _was_ written. Clearly no such implementation can write
more than `SSIZE_MAX` bytes. Ensure that each TLS stream implementation
does not try to write more than `SSIZE_MAX` bytes (or smaller; if the
given implementation takes a smaller size).
|
|
e5e2fac8
|
2019-01-21T00:57:39
|
|
buffer: explicitly cast
Quiet down a warning from MSVC about how we're potentially losing data.
This is safe since we've explicitly tested it.
|
|
f4ebb2d4
|
2019-01-21T00:56:35
|
|
blame: make hunk_cmp handle unsigned differences
|
|
ae681d3f
|
2019-01-21T00:49:07
|
|
apply: make update_hunk accept a size_t
|
|
7ed2baf7
|
2019-01-21T00:41:50
|
|
MSVC: ignore empty compilation units (warning LNK4221)
A number of source files have their implementation #ifdef'd out (because
they target another platform). MSVC warns on empty compilation units
(with warning LNK4221). Ignore warning 4221 when creating the object
library.
|
|
fac08837
|
2019-01-21T11:38:46
|
|
filter: return an int
Validate that the return value of the read is not less than INT_MAX,
then cast.
|
|
89bd4ddb
|
2019-01-21T11:32:53
|
|
diff_generate: validate oid file size
Index entries are 32 bit unsigned ints, not `size_t`s.
|
|
fd9d4e28
|
2019-01-21T11:29:16
|
|
describe: don't mix and match abbreviated size types
The git_describe_format_options.abbreviated_size type is an unsigned
int. There's no need for it to be anything else; keep it what it is.
|
|
3fba5891
|
2019-01-20T23:53:33
|
|
test: cast to a char the zstream test
|
|
f25bb508
|
2019-01-20T23:52:50
|
|
index test: cast times explicitly
Cast actual filesystem data to the int32_t that index entries store.
|
|
1d4ddb8e
|
2019-01-20T23:42:08
|
|
iterator: cast filesystem iterator entry values explicitly
The filesystem iterator takes `stat` data from disk and puts them into
index entries, which use 32 bit ints for time (the seconds portion) and
filesize. However, on most systems these are not 32 bit, thus will
typically invoke a warning.
Most users ignore these fields entirely. Diff and checkout code do use
the values, however only for the cache to determine if they should check
file modification. Thus, this is not a critical error (and will cause a
hash recomputation at worst).
|
|
c6cac733
|
2019-01-20T22:40:38
|
|
blob: validate that blob sizes fit in a size_t
Our blob size is a `git_off_t`, which is a signed 64 bit int. This may
be erroneously negative or larger than `SIZE_MAX`. Ensure that the blob
size fits into a `size_t` before casting.
|
|
3aa6d96a
|
2019-01-20T20:38:25
|
|
tree: cast filename length in git_tree__parse_raw
Quiet down a warning from MSVC about how we're potentially losing data.
Ensure that we're within a uint16_t before we do.
|
|
759502ed
|
2019-01-20T20:30:42
|
|
odb_loose: explicitly cast to size_t
Quiet down a warning from MSVC about how we're potentially losing data.
This is safe since we've explicitly tested that it's positive and less
than SIZE_MAX.
|
|
80c3867b
|
2019-01-20T19:20:12
|
|
patch: explicitly cast down in parse_header_percent
Quiet down a warning from MSVC about how we're potentially losing data.
This is safe since we've explicitly tested that it's within the range of
0-100.
|
|
494448a5
|
2019-01-20T19:10:08
|
|
index: explicitly cast down to a size_t
Quiet down a warning from MSVC about how we're potentially losing data.
This cast is safe since we've explicitly tested that `strip_len` <=
`last_len`.
|
|
c3866fa8
|
2019-01-20T18:54:16
|
|
diff: explicitly cast in flush_hunk
Quiet down a warning from MSVC about how we're potentially losing data.
|
|
826d9a4d
|
2019-01-25T09:43:20
|
|
Merge pull request #4858 from tiennou/fix/index-ext-read
index: preserve extension parsing errors
|
|
859d9229
|
2019-01-25T09:41:41
|
|
Merge pull request #4952 from libgit2/ethomson/deprecation
Deprecate functions and constants more gently
|
|
c951b825
|
2019-01-23T00:32:40
|
|
deprecation: define GIT_DEPRECATE_HARD internally
Ensure that we do not use any deprecated functions in the library
source, test code or examples.
|
|
9f3a5a64
|
2019-01-23T00:29:03
|
|
deprecation: offer GIT_DEPRECATE_HARD
Users can define `GIT_DEPRECATE_HARD` if they want to remove all
functions that we've "softly" deprecated.
|
|
9c5e05ad
|
2019-01-23T10:43:29
|
|
deprecation: move deprecated tests into their own file
Move the deprecated stream tests into their own compilation unit. This
will allow us to disable any preprocessor directives that apply to
deprecation just for these tests (eg, disabling `GIT_DEPRECATED_HARD`).
|
|
e09f0c10
|
2019-01-23T10:21:42
|
|
deprecation: don't use deprecated stream cb
Avoid the deprecated `git_stream_cb` typedef since we want to compile
the library without deprecated functions or types. Instead, we can
unroll the alias to its actual type.
|
|
09e2ea2f
|
2019-01-23T09:44:40
|
|
deprecation: provide docurium deprecation note
Add `@deprecated` to the functions that are, so that they'll appear that
way in docurium.
|
|
53d13fb3
|
2019-01-23T09:42:55
|
|
deprecation: deprecated stream registration in if guard
`git_stream_register_tls` is now deprecated; mark it in an if guard with
the deprecation.
This should not be included in `deprecated.h` since it is an uncommonly
used `sys` header file.
|
|
769e9274
|
2019-01-23T00:42:22
|
|
deprecation: update changelog to reflect new policies
|
|
a7d0d14f
|
2019-01-23T00:07:40
|
|
deprecation: move deprecated bits to deprecated.h
|
|
1c3daccf
|
2019-01-23T09:51:50
|
|
fuzzers: don't use deprecated types
|
|
cc5da0a6
|
2019-01-23T09:36:52
|
|
examples: don't use deprecated types
|
|
5524a467
|
2019-01-25T09:06:27
|
|
Merge pull request #4957 from csware/deprecated
Don't use deprecated constants
|
|
bff7aed2
|
2019-01-24T16:44:04
|
|
Don't use deprecated constants
Follow up for PR #4917.
Signed-off-by: Sven Strickroth <email@cs-ware.de>
|
|
0bf7e043
|
2019-01-24T12:12:04
|
|
index: preserve extension parsing errors
Previously, we would clobber any extension-specific error message with
an "extension is truncated" message. This makes `read_extension`
correctly preserve those errors, takes responsibility for truncation
errors, and adds a new message with the actual extension signature for
unsupported mandatory extensions.
|
|
80be19b9
|
2019-01-24T11:59:48
|
|
Merge pull request #4955 from csware/c4098
Fix VS warning C4098: 'giterr_set_str' : void function returning a value
|
|
53bf0bde
|
2019-01-24T11:29:36
|
|
Fix VS warning C4098: 'giterr_set_str' : void function returning a value
Signed-off-by: Sven Strickroth <email@cs-ware.de>
|
|
635693d3
|
2019-01-22T22:52:06
|
|
Merge pull request #4917 from libgit2/ethomson/giterr
Move `giterr` to `git_error`
|
|
a27a4de6
|
2019-01-10T22:48:03
|
|
errors: update docs for giterr changes
|
|
00c66dfd
|
2019-01-10T22:43:59
|
|
errors: update static analysis tools for giterr
Update GITERR and giterr usages in the static code analysis tools to use
the new names.
|
|
fcc7dcb1
|
2019-01-10T22:39:56
|
|
errors: remove giterr usage in examples
|
|
115a6c50
|
2019-01-10T21:44:26
|
|
errors: remove giterr usage in fuzzers
|
|
f673e232
|
2018-12-27T13:47:34
|
|
git_error: use new names in internal APIs and usage
Move to the `git_error` name in the internal API for error-related
functions.
|
|
647dfdb4
|
2019-01-10T22:13:07
|
|
git_error: deprecate error values
Replace the `GITERR` values with a `const int` to deprecate error
values.
|
|
20961b98
|
2018-12-26T14:06:21
|
|
git_error: use full class name in public error API
Move to the `git_error` name in error-related functions, deprecating the
`giterr` functions. This means, for example, that `giterr_last` is now
`git_error_last`. The old names are retained for compatibility.
This only updates the public API; internal API and function usage
remains unchanged.
|
|
6b2cd0ed
|
2019-01-20T20:55:00
|
|
Merge pull request #4949 from zlikavac32/fix-odb-foreach-cb-positive-error-code
odb: Fix odb foreach to also close on positive error code
|
|
f7416509
|
2019-01-20T20:15:31
|
|
Fix odb foreach to also close on positive error code
In include/git2/odb.h it states that callback can also return
positive value which should break looping.
Implementations of git_odb_foreach() and pack_backend__foreach()
did not respect that.
|
|
68166017
|
2019-01-20T18:33:36
|
|
Merge pull request #4948 from libgit2/ethomson/memleaks
repository: free memory in symlink detection function
|
|
b8b796c1
|
2019-01-20T18:09:43
|
|
repository: free memory in symlink detection function
|
|
1e92a036
|
2019-01-20T17:59:50
|
|
Merge pull request #4947 from libgit2/ethomson/proxyupdate
ci: update poxyproxy, run in quiet mode
|
|
c9d9e25f
|
2019-01-20T17:34:41
|
|
ci: update poxyproxy, run in quiet mode
Update the proxy so that we can enable a quiet mode.
|
|
86b522bd
|
2019-01-20T14:27:57
|
|
Merge pull request #4945 from libgit2/ethomson/fix-intrinsics
Add/multiply with overflow tweaks
|
|
b5a3ef3c
|
2019-01-20T14:27:25
|
|
Merge pull request #4944 from libgit2/ethomson/deprecation
Improve deprecation of old enums
|
|
75444d97
|
2019-01-20T13:52:46
|
|
add with overflow: correct documentation
Correct the documentation on the fallback add/multiply with overflow
functions.
|
|
abbc07f1
|
2019-01-20T13:51:15
|
|
add with overflow: use SizeTAdd on Windows
Windows provides <intsafe.h> which provides "performant" add and
multiply with overflow operations. Use them when possible.
|
|
c6d47acf
|
2019-01-20T13:04:10
|
|
Remove unused git__add_uint64_overflow
|
|
f04f1c7e
|
2019-01-20T13:00:53
|
|
add with overflow intrinsics: simplify tests
Use the smallest unsigned type that is equivalent to `size_t` to
simplify the conditionals. Error if we're on a system that we believe
offers builtins but we cannot determine which one to use.
|
|
1b2af79e
|
2019-01-20T10:49:23
|
|
deprecation: use the enum type in declaration
The C standard does not specify whether an enum is a signed or unsigned
type. Obviously, any enum that includes negative values _must_ be
signed, but if all values are positive then the compiler is free to
choose signed or unsigned.
Thus, by changing the type signatures to `git_object_t` and declaring
the old `GIT_OBJ_` values as a signed or unsigned int, we risk a
mismatch between what the compiler has chosen for a `git_object_t`'s
type and our type declaration.
Thus, we declare the deprecated values as the enum instead of guessing.
|
|
44827b67
|
2019-01-20T10:36:41
|
|
deprecation: add `used` attribute
Recent GCC enables `-Wunused-const-variables`, which makes output quite
noisy. Disable unused warnings for our deprecated variables.
|
|
1758636b
|
2019-01-19T01:38:34
|
|
Merge pull request #4939 from libgit2/ethomson/git_ref
Move `git_ref_t` to `git_reference_t`
|
|
b2c2dc64
|
2019-01-19T01:36:40
|
|
Merge pull request #4940 from libgit2/ethomson/git_obj
More `git_obj` to `git_object` updates
|
|
c352e561
|
2019-01-19T01:34:21
|
|
Merge pull request #4943 from libgit2/ethomson/ci
ci: only run invasive tests in nightly
|
|
e2b9f568
|
2019-01-19T00:37:13
|
|
ci: run all invasive tests on windows
|
|
1ebf3a7d
|
2019-01-19T00:34:55
|
|
ci: only run invasive tests during nightly runs
|
|
6b8a648f
|
2019-01-19T00:25:16
|
|
ci: clear settings variables in powershell
|
|
423d3e73
|
2019-01-19T00:08:05
|
|
ci: precisely identify the invasive tests
|
|
4e0c8a1e
|
2019-01-17T22:07:24
|
|
Merge pull request #4930 from libgit2/ethomson/cdecl
Always build a cdecl library
|
|
38e61797
|
2019-01-14T14:33:36
|
|
changelog: document that we always build cdecl
|
|
22d2062d
|
2019-01-09T18:25:10
|
|
Introduce GIT_CALLBACK macro to enforce cdecl
Since we now always build the library with cdecl calling conventions,
our callbacks should be decorated as such so that users will not be able
to provide callbacks defined with other calling conventions.
The `GIT_CALLBACK` macro will inject the `__cdecl` attribute as
appropriate.
|
|
57b753a0
|
2019-01-09T12:47:40
|
|
cmake: error when STDCALL is specified
To explicitly break end-users who were specifying STDCALL, explicitly
fail the cmake process to ensure that they know that they need to change
their bindings. Otherwise, we would quietly ignore their option and the
resulting cdecl library would produced undefined behavior.
|
|
a74dd39b
|
2019-01-09T12:33:47
|
|
Use cdecl calling conventions on Win32
The recommendation from engineers within Microsoft is that libraries
should have a calling convention specified in the public API, and that
calling convention should be cdecl unless there are strong reasons to
use a different calling convention.
We previously offered end-users the choice between cdecl and stdcall
calling conventions. We did this for presumed wider compatibility: most
Windows applications will use cdecl, but C# and PInvoke default to
stdcall for WINAPI compatibility. (On Windows, the standard library
functions are are stdcall so PInvoke also defaults to stdcall.)
However, C# and PInvoke can easily call cdecl APIs by specifying an
annotation.
Thus, we will explicitly declare ourselves cdecl and remove the option
to build as stdcall.
|
|
b78bcbb9
|
2019-01-09T13:21:23
|
|
buffer: wrap EXTERN in DEPRECATED
The GIT_EXTERN macro needs to provide order-specific attributes; update
users of the GIT_DEPRECATED macro to allow for that.
|