kmx git

Commit	Date	Message
27008e84	2016-06-14T14:46:12	fetch: Fixed spurious update callback for existing tags.
d1fb89dd	2016-06-07T12:55:17	global: clean up crt only after freeing tls data The thread local storage is used to hold some global state that is dynamically allocated and should be freed upon exit. On Windows, we clean up the C run-time right after execution of registered shutdown callbacks and before cleaning up the TLS. When we clean up the CRT, we also cause it to analyze for memory leaks. As we did not free the TLS yet this will lead to false positives. Fix the issue by first freeing the TLS and cleaning up the CRT only afterwards.
246d25b3	2016-06-07T08:35:26	index: fix NULL pointer access in index_remove_entry When removing an entry from the index by its position, we first retrieve the position from the index's entries and then try to remove the retrieved value from the index map with `DELETE_IN_MAP`. When `index_remove_entry` returns `NULL` we try to feed it into the `DELETE_IN_MAP` macro, which will unconditionally call `idxentry_hash` and then happily dereference the `NULL` entry pointer. Fix the issue by not passing a `NULL` entry into `DELETE_IN_MAP`.
1a709604	2016-06-06T12:59:17	transports: smart: fix potential invalid memory dereferences When we receive a packet of exactly four bytes encoding its length as those four bytes it can be treated as an empty line. While it is not really specified how those empty lines should be treated, we currently ignore them and do not return an error when trying to parse it but simply advance the data pointer. Callers invoking `git_pkt_parse_line` are currently not prepared to handle this case as they do not explicitly check this case. While they could always reset the passed out-pointer to `NULL` before calling `git_pkt_parse_line` and determine if the pointer has been set afterwards, it makes more sense to update `git_pkt_parse_line` to set the out-pointer to `NULL` itself when it encounters such an empty packet. Like this it is guaranteed that there will be no invalid memory references to free'd pointers. As such, the issue has been fixed such that `git_pkt_parse_line` always sets the packet out pointer to `NULL` when an empty packet has been received and callers check for this condition, skipping such packets.
11408f0e	2016-06-02T02:34:03	index_read_index: invalidate new paths in tree cache When adding a new entry to an existing index via `git_index_read_index`, be sure to remove the tree cache entry for that new path. This will mark all parent trees as dirty.
80745b12	2016-06-02T01:04:58	index_read_index: set flags for path_len correctly Update the flags to reset the path_len (to emulate `index_insert`)
e755f79f	2016-06-02T00:47:51	index_read_index: differentiate on mode Treat index entries with different modes as different, which they are, at least for the purposes of up-to-date calculations.
e6a0a850	2016-06-01T14:56:27	index_read_index: reset error correctly Clear any error state upon each iteration. If one of the iterations ends (with an error of `GIT_ITEROVER`) we need to reset that error to 0, lest we stop the whole process prematurely.
feea2849	2016-05-26T12:52:29	win32: clean up unused warnings in DllMain
efadf28d	2016-05-26T12:39:09	filebuf: fix uninitialized warning
85ef6ec5	2016-05-12T13:18:07	Ignore submodules when checking for merge conflicts in the workdir.
70681ff7	2016-02-16T21:02:41	checkout: handle dirty submodules correctly Don't generate conflicts when checking out a modified submodule and the submodule is dirty or modified in the workdir.
78b5702e	2016-05-18T16:00:01	Fix comment for GIT_FILEMODE_LINK 0120000 is symbolic link, not commit
849a1a43	2016-05-05T23:34:23	Fix unused variable 'message' warning
cf0396a5	2016-05-02T16:49:59	delta-apply: fix sign extension We compute offsets by executing `off \|= (*delta++ << 24)` for multiple constants, where `off` is of type `size_t` and `delta` is of type `unsigned char`. The usual arithmetic conversions (see ISO C89 §3.2.1.5 "Usual arithmetic conversions") kick in here, causing us to promote both operands to `int` and then extending the result to an `unsigned long` when OR'ing it with `off`. The integer promotion to `int` may result in wrong size calculations for big values. Fix the issue by making the constants `unsigned long`, causing both operands to be promoted to `unsigned long`.
1fb8a951	2016-05-02T16:24:14	odb_loose: fix undefined behavior when computing size An object's size is computed by reading the object header's size field until the most significant bit is not set anymore. To get the total size, we increase the shift on each iteration and add the shifted value to the total size. We read the current value into a variable of type `unsigned char`, from which we then take all bits except the most significant bit and shift the result. We will end up with a maximum shift of 60, but this exceeds the width of the value's type, resulting in undefined behavior. Fix the issue by instead reading the values into a variable of type `unsigned long`, which matches the required width. This is equivalent to git.git, which uses an `unsigned long` as well.
f627e196	2016-05-02T15:47:54	checkout: set ignorecase=0 when config lookup fails When `git_repository__cvar` fails we may end up with a `ignorecase` value of `-1`. As we subsequently check if `ignorecase` is non-zero, we may end up reporting that data should be removed when in fact it should not. Err on the safer side and set `ignorecase = 0` when `git_repository__cvar` fails.
66633e83	2016-04-27T12:00:31	odb: avoid inflating the full delta to read the header When we read the header, we want to know the size and type of the object. We're currently inflating the full delta in order to read the first few bytes. This can mean hundreds of kB needlessly inflated for large objects. Instead use a packfile stream to read just enough so we can read the two varints in the header and avoid inflating most of the delta.
fc2ef514	2016-05-02T14:30:14	index: fix memory leak on error case
b726c539	2016-04-26T18:04:03	Fix return value of openssl_read (infinite loop) openssl_read should return -1 in case of error. SSL_read returns values <= 0 in case of error. A return value of 0 can lead to an infinite loop, so the return value of ssl_set_error will be returned if SSL_read is not successful (analog to openssl_write).
16541b86	2016-04-25T12:16:05	tag: ignore extra header fields While no extra header fields are defined for tags, git accepts them by ignoring them and continuing the search for the message. There are a few tags like this in the wild which git parses just fine, so we should do the same.
ccfacb8b	2016-03-31T10:43:57	leaks: call `xdl_free_classifier`
2c1bc36d	2016-03-29T14:47:31	Plug a few leaks
af753aba	2016-03-22T00:18:44	tree: drop the now-unnecessary entries vector Remove the now-unnecessary entries vector. Add `git_array_search` to binary search through an array to accomplish this.
13ebf7bd	2016-03-20T12:01:45	tree: store the entries in a growable array Take advantage of the constant size of tree-owned arrays and store them in an array instead of a pool. This still lets us free them all at once but lets the system allocator do the work of fitting them in.
26f2cefb	2016-03-20T11:00:12	tree: re-use the id and filename in the odb object Instead of copying over the data into the individual entries, point to the originals, which are already in a format we can use.
17789083	2016-04-01T14:33:42	ignore: don't use realpath to canonicalize path If we're looking for a symlink, realpath will give us the resolved path, which is not what we're after, but a canonicalized version of the path the user asked for.
a13c1ec2	2016-03-28T11:13:51	config: don't write section header if we're in it If we hit the EOF while trying to write a new value, it may be that we're already in the section that we were looking for. If so, do not write a (duplicate) section header, just write the value.
3e2e8240	2016-04-11T17:43:07	refs: provide a more general error message for dwim If we cannot dwim the input, set the error message to be explicit about that. Otherwise we leave the error for the last failed lookup, which can be rather unexpected as it mentions a remote when the user thought they were trying to look up a branch.
56da07cb	2016-03-31T11:32:36	xdiff/xprepare: fix a memory leak The xdl_prepare_env() function may initialise an xdlclassifier_t data structure via xdl_init_classifier(), which allocates memory to several fields, for example 'rchash', 'rcrecs' and 'ncha'. If this function later exits due to the failure of xdl_optimize_ctxs(), then this xdlclassifier_t structure, and the memory allocated to it, is not cleaned up. In order to fix the memory leak, insert a call to xdl_free_classifier() before returning. This patch was originally written by Ramsay Jones (see commit 87f16258367a3b9a62663b11f898a4a6f3c19d31 in git.git).
3ec0f2e3	2016-03-31T11:30:31	xdiff/xprepare: use the XDF_DIFF_ALG() macro to access flag bits Commit 307ab20b3 ("xdiff: PATIENCE/HISTOGRAM are not independent option bits", 19-02-2012) introduced the XDF_DIFF_ALG() macro to access the flag bits used to represent the diff algorithm requested. In addition, code which had used explicit manipulation of the flag bits was changed to use the macros. However, one example of direct manipulation remains. Update this code to use the XDF_DIFF_ALG() macro. This patch was originally written by Ramsay Jones (see commit 5cd6978a9cfef58de061a9525f3678ade479564d in git.git).
c86a65be	2016-03-21T21:10:26	config: don't special-case multivars that don't exist yet This special-casing ignores that we might have a locked file, so the hashtable does not represent the contents of the file we want to write. This causes multivar writes to overwrite entries instead of add to them when under lock. There is no need for this as the normal code-path will write to the file just fine, so simply get rid of it.
a1cf2644	2016-03-18T13:00:27	win32: free thread-local data on thread exit
e97d2d70	2016-03-17T10:45:22	commit: fix extraction of single-line signatures The function to extract signatures suffers from a similar bug to the header field finding one by having an unecessary line feed check as a break condition of its loop. Fix that and add a test for this single-line signature situation.
d8fcafb2	2016-03-16T19:05:11	Split the page size from the mmap alignment While often similar, these are not the same on Windows. We want to use the page size on Windows for the pools, but for mmap we need to use the allocation granularity as the alignment. On the other platforms these values remain the same.
4e91020c	2016-03-14T12:41:12	Start error string with lower case character
c1ec732f	2016-03-14T12:02:00	Setup better defaults for OpenSSL ciphers This ensures that when using OpenSSL a safe default set of ciphers is selected. This is done so that the client communicates securely and we don't accidentally enable unsafe ciphers like RC4, or even worse some old export ciphers. Implements the first part of https://github.com/libgit2/libgit2/issues/3682
89e7604c	2016-03-10T17:21:02	config_cache: check return value of `git_config__lookup_entry` Callers of `git_config__cvar` already handle the case where the function returns an error due to a failed configuration variable lookup, but we are actually swallowing errors when calling `git_config__lookup_entry` inside of the function. Fix this by returning early when `git_config__lookup_entry` returns an error. As we call `git_config__lookup_entry` with `no_errors == false` which leads us to call `get_entry` with `GET_NO_MISSING` we will not return early when the lookup fails due to a missing entry. Like this we are still able to set the default value of the cvar and exit successfully.
18c4ae70	2016-03-10T17:05:30	filebuf: handle write error in `lock_file` When writing to a file with locking not check if writing the locked file actually succeeds. Fix the issue by returning error code and message when writing fails.
f17ed637	2016-03-10T16:42:55	blame: handle error when resoling HEAD in normalize_options When normalizing options we try to look up HEAD's OID. While this action may fail in malformed repositories we never check the return value of the function. Fix the issue by converting `normalize_options` to actually return an error and handle the error in `git_blame_file`.
8d3ee96a	2016-03-10T16:11:51	refdb_fs: fail if refcache returns NULL pointer We usually check entries returned by `git_sortedcache_entry` for NULL pointers. As we have a write lock in `packed_write`, though, it really should not happen that the function returns NULL. Assert that ref is not NULL to silence a Coverity warning.
851c51ab	2016-03-10T10:40:47	diff_tform: fix potential NULL pointer access When the user passes in a diff which has no repository associated we may call `git_config__get_int_force` with a NULL-pointer configuration. Even though `git_config__get_int_force` is designed to swallow errors, it is not intended to be called with a NULL pointer configuration. Fix the issue by only calling `git_config__get_int_force` only when configuration could be retrieved from the repository.
d96c0638	2016-03-01T19:11:33	submodule: avoid passing NULL pointers to strncmp In C89 it is undefined behavior to pass `NULL` pointers to `strncmp` and later on in C99 it has been explicitly stated that functions with an argument declared as `size_t nmemb` specifying the array length shall always have valid parameters, no matter if `nmemb` is 0 or not (see ISO 9899 §7.21.1.2). The function `str_equal_no_trailing_slash` always passes its parameters to `strncmp` if their lengths match. This means if one parameter is `NULL` and the other one either `NULL` or a string with length 0 we will pass the pointers to `strncmp` and cause undefined behavior. Fix this by explicitly handling the case when both lengths are 0.
1a16e8b0	2016-03-01T17:55:40	pack-objects: fix memory leak on overflow
e114bbac	2016-03-01T16:00:49	index: assert required OID are non-NULL
d0780b81	2016-03-01T15:35:45	object: avoid call of memset with ouf of bounds pointer When computing a short OID we do this by first copying the leading parts into the new OID structure and then setting the trailing part to zero. In the case of the desired length being `GIT_OID_HEXSZ - 1` we will call `memset` with an out of bounds pointer and a length of 0. While this seems to cause no problems for common platforms the C89 standard does not explicitly state that calling `memset` with an out of bounds pointer and length of 0 is valid. Fix the potential issue by using the newly introduced `git_oid__cpy_prefix` function.
dd78d7d1	2016-03-10T16:33:49	blame_git: handle error returned by `git_commit_parent`
fa4b93a6	2016-04-11T15:57:23	backport git_oid__cpy_prefix
e39ad747	2016-03-01T14:40:17	config_file: handle missing quotation marks in section header When parsing a section header we expect something along the format of '[section "subsection"]'. When a section is mal-formated and is entirely missing its quotation marks we catch this case by observing that `strchr(line, '"') - strrchr(line, '"') = NULL - NULL = 0` and error out. Unfortunately, the error message is misleading though, as we state that we are missing the closing quotation mark while we in fact miss both quotation marks. Improve the error message by explicitly checking if the first quotation mark could be found and, if not, stating that quotation marks are completely missing.
ffb1f419	2016-03-01T14:24:09	describe: handle error code returned by git_pqueue_insert
4ebf745f	2016-03-09T11:16:16	mwindow: free unused windows if we fail to mmap The first time may be due to memory fragmentation or just bad luck on a 32-bit system. When we hit the mmap error for the first time, free up the unused windows and try again.
9ee498e8	2016-03-08T10:16:37	Only buffer if necessary.
eb09ead2	2016-03-04T01:18:30	odb: improved not found error messages When looking up an abbreviated oid, show the actual (abbreviated) oid the caller passed instead of a full (but ambiguously truncated) oid.
cdded630	2016-01-13T11:07:14	Remove duplicated calls to git_mwindow_close
e3862c9f	2016-01-11T17:09:32	Buffer sideband packet data The inner packet may be split across multiple sideband packets.
8ec3d88f	2015-12-24T10:04:44	Avoid subtraction overflow in git_indexer_commit
4a93a7fc	2015-12-28T11:37:39	Tabs
e44f6586	2015-12-28T07:43:24	Removing #define for SSH_PREFIX_COUNT and using ARRAY_SIZE instead Also moving var declarations to top of blocks to support bad old compilers
ff8e3f0e	2015-12-22T10:38:31	Handle git+ssh:// and ssh+git:// protocols support
ea5bf6bb	2016-03-04T12:34:38	treebuilder: don't try to verify submodules exist in the odb Submodules don't exist in the objectdb and the code is making us try to look for a blob with its commit id, which is obviously not going to work. Skip the test if the user wants to insert a submodule.
22f3d3aa	2016-03-03T22:26:31	ssh: initialize libssh2 We should have been doing this, but it initializes itself upon first use, which works as long as nobody's doing concurrent network operations. Initialize it on our init to make sure it's not getting initialized concurrently.
66a530eb	2016-03-03T20:11:18	Merge pull request #3648 from libgit2/cmn/auth-retry test: make sure we retry the auth callback on all platforms
778fb695	2016-03-03T12:14:02	Merge pull request #3646 from pks-t/pks/xdiff-fix-from-upstream xdiff: fix memleak on error case
a4cba9d4	2016-03-03T10:48:24	winhttp: retry authentication If the caller has provided bad authentication, give them another apportunity to get it right until they give up. This brings WinHTTP in line with the other transports.
edaffe22	2016-03-01T17:16:27	Merge pull request #3633 from ethomson/safe_creation Stricter object dependency checking during creation
a4ea7faa	2016-03-01T08:54:00	xdiff: fix memleak on error case Commit 3d1abc5afce fixes a memory leak in the xdiff code. In the process of upstreaming the fix it was pointed out by Johannes Schindelin that there is another memory leak present (see [1]). Fix the second memory leak by applying the upstream fix to our code base. [1]: http://thread.gmane.org/gmane.comp.version-control.git/287034
dbee6835	2016-02-28T20:13:24	Merge pull request #3567 from sba1/few-p_getaddrinfo-fixes Few p_getaddrinfo fixes
f2dddf52	2016-02-28T15:51:38	turn on strict object validation by default
98c34149	2016-02-28T15:11:15	refs: honor strict object creation
3ef01e77	2016-02-28T14:37:37	git_object__is_valid: use `odb_read_header` This allows lighter weight validation in `git_object__is_valid` that does not require reading the entire object.
6ddf533a	2016-02-23T18:29:16	git_index_add: validate objects in index entries (optionally) When `GIT_OPT_ENABLE_STRICT_OBJECT_CREATION` is turned on, validate the index entries given to `git_index_add`.
2bbc7d3e	2016-02-23T15:00:27	treebuilder: validate tree entries (optionally) When `GIT_OPT_ENABLE_STRICT_OBJECT_CREATION` is turned on, validate the tree and parent ids given to treebuilder insertion.
ef63bab3	2016-02-23T13:34:35	git_commit: validate tree and parent ids When `GIT_OPT_ENABLE_STRICT_OBJECT_CREATION` is turned on, validate the tree and parent ids given to commit creation functions.
7565dc65	2016-02-23T13:33:10	git_object__is_valid: simple object validity test
22a19f5b	2016-02-22T23:46:50	git_libgit2_opts: introduce `GIT_OPT_ENABLE_STRICT_OBJECT_CREATION`
6cc4bac8	2016-02-28T11:31:10	Merge pull request #3577 from rossdylan/rossdylan/pooldebug Add a new build flag to disable the pool allocator
93e16642	2016-02-26T12:51:13	Fixed typo in one of the ifndef's in pool.h used to enable/disable debug mode
9f4e7c84	2016-02-25T18:42:09	Merge pull request #3638 from ethomson/nsec USE_NSECS fixes
0d9a7498	2016-02-25T12:09:49	Merge pull request #3628 from pks-t/pks/coverity-fixes Coverity fixes
fd129f28	2016-02-25T11:59:00	Merge pull request #3630 from libgit2/cmn/idx-extra-check Extra checks for packfile indices
3d6a42d1	2016-02-25T11:23:19	nsec: support NDK's crazy nanoseconds Android NDK does not have a `struct timespec` in its `struct stat` for nanosecond support, instead it has a single nanosecond member inside the struct stat itself. We will use that and use a macro to expand to the `st_mtim` / `st_mtimespec` definition on other systems (much like the existing `st_mtime` backcompat definition).
6d97beb9	2016-02-25T15:46:59	pack: don't allow a negative offset
ea9e00cb	2016-02-23T18:15:43	pack: make sure we don't go out of bounds for extended entries A corrupt index might have data that tells us to go look past the end of the file for data. Catch these cases and return an appropriate error message.
68ad3156	2016-02-24T17:17:57	openssl: we already had the function, just needed the header
f3d1be7d	2016-02-24T16:38:22	openssl: export the locking function when building without OpenSSL This got lost duing the move and it lets the users call this function just in case.
04c3b35f	2016-02-23T13:02:07	map: use `giterr_set` internally Use the `giterr_set` function, which actually supports `GITERR_OS`. The `giterr_set_str` function is exposed for external users and will not append the operating system's error message.
32f07984	2016-02-23T11:07:03	diff_tform: fix potential NULL pointer access The `normalize_find_opts` function in theory allows for the incoming diff to have no repository. When the caller does not pass in diff find options or if the GIT_DIFF_FIND_BY_CONFIG value is set, though, we try to derive the configuration from the diff's repository configuration without first verifying that the repository is actually set to a non-NULL value. Fix this issue by explicitly checking if the repository is set and if it is not, fall back to a default value of GIT_DIFF_FIND_RENAMES.
3d1abc5a	2016-02-22T17:13:23	xmerge: fix memory leak on error path
05bf67b9	2016-02-23T11:16:36	openssl_stream: fix NULL pointer dereference
2baf854e	2016-02-22T16:08:56	openssl_stream: fix memory leak when creating new stream
2afb6fa4	2016-02-22T16:05:13	rebase: plug memory leak in `rebase_alloc` Convert `rebase_alloc` to use our usual error propagation patterns, that is accept an out-parameter and return an error code that is to be checked by the caller. This allows us to use the GITERR_CHECK_ALLOC macro, which helps static analysis.
d0cb11e7	2016-02-22T16:01:03	remote: set error code in `create_internal` Set the error code when an error occurs in any of the called functions. This ensures we pass the error up to callers and actually free the remote when an error occurs.
0f1e2d20	2016-02-23T11:23:26	index: fix contradicting comparison The overflow check in `read_reuc` tries to verify if the `git__strtol32` parses an integer bigger than UINT_MAX. The `tmp` variable is casted to an unsigned int for this and then checked for being greater than UINT_MAX, which obviously can never be true. Fix this by instead fixing the `mode` field's size in `struct git_index_reuc_entry` to `uint32_t`. We can now parse the int with `git__strtol64`, which can never return a value bigger than `UINT32_MAX`, and additionally checking if the returned value is smaller than zero. We do not need to handle overflows explicitly here, as `git__strtol64` returns an error when the returned value would overflow.
7808c937	2016-02-22T15:59:15	index: plug memory leak in `read_conflict_names`
003c5e46	2016-02-22T15:52:49	transports: smart_pkt: fix memory leaks on error paths
793e0855	2016-02-22T14:06:48	refdb_fs: remove unnecessary check for NULL The fail-label of `reflog_parse` explicitly checks the entry poitner for NULL before freeing it. When we jump to the label the variable has to be set to a non-NULL and valid pointer though: if the allocation fails we immediately return with an error code and if the loop was not entered we return with a success code, withouth executing the label's code. Remove the useless NULL-check to silence Coverity.
be8479c9	2016-02-22T14:01:50	diff_print: assert patch is non-NULL When invoking `diff_print_info_init_frompatch` it is obvious that the patch should be non-NULL. We explicitly check if the variable is set and continue afterwards, happily dereferencing the potential NULL-pointer. Fix this by instead asserting that patch is set. This also silences Coverity.
bac52ab0	2016-02-22T13:48:45	pack-objects: return early when computing write order fails The function `compute_write_order` may return a `NULL`-pointer when an error occurs. In such cases we jump to the `done`-label where we try to clean up allocated memory. Unfortunately we try to deallocate the `write_order` array, though, which may be NULL here. Fix this error by returning early instead of jumping to the `done` label. There is no data to be cleaned up anyway.
d1c9a48d	2016-02-23T10:45:09	pack-objects: check realloc in try_delta with GITERR_CHECK_ALLOC
2129d6df	2016-02-22T13:33:48	crlf: do not ignore GIT_PASSTHROUGH error When no payload is set for `crlf_apply` we try to compute the crlf attributes ourselves with `crlf_check`. When the function determines that the current file does not require any treatment we return the GIT_PASSTHROUGH error code without actually allocating the out-pointer, which indicates the file should not be passed through the filter. The `crlf_apply` function explicitly checks for the GIT_PASSTHROUGH return code and ignores it. This means we will try to apply the crlf-filter to the current file, leading us to dereference the unallocated payload-pointer. Fix this obviously incorrect behavior by not treating GIT_PASSTHROUGH in any special way. This is the correct thing to do anyway, as the code indicates that the file should not be passed through the filter.

27008e84

2016-06-14T14:46:12

fetch: Fixed spurious update callback for existing tags.

d1fb89dd

2016-06-07T12:55:17

global: clean up crt only after freeing tls data The thread local storage is used to hold some global state that is dynamically allocated and should be freed upon exit. On Windows, we clean up the C run-time right after execution of registered shutdown callbacks and before cleaning up the TLS. When we clean up the CRT, we also cause it to analyze for memory leaks. As we did not free the TLS yet this will lead to false positives. Fix the issue by first freeing the TLS and cleaning up the CRT only afterwards.

246d25b3

2016-06-07T08:35:26

index: fix NULL pointer access in index_remove_entry When removing an entry from the index by its position, we first retrieve the position from the index's entries and then try to remove the retrieved value from the index map with `DELETE_IN_MAP`. When `index_remove_entry` returns `NULL` we try to feed it into the `DELETE_IN_MAP` macro, which will unconditionally call `idxentry_hash` and then happily dereference the `NULL` entry pointer. Fix the issue by not passing a `NULL` entry into `DELETE_IN_MAP`.

1a709604

2016-06-06T12:59:17

transports: smart: fix potential invalid memory dereferences When we receive a packet of exactly four bytes encoding its length as those four bytes it can be treated as an empty line. While it is not really specified how those empty lines should be treated, we currently ignore them and do not return an error when trying to parse it but simply advance the data pointer. Callers invoking `git_pkt_parse_line` are currently not prepared to handle this case as they do not explicitly check this case. While they could always reset the passed out-pointer to `NULL` before calling `git_pkt_parse_line` and determine if the pointer has been set afterwards, it makes more sense to update `git_pkt_parse_line` to set the out-pointer to `NULL` itself when it encounters such an empty packet. Like this it is guaranteed that there will be no invalid memory references to free'd pointers. As such, the issue has been fixed such that `git_pkt_parse_line` always sets the packet out pointer to `NULL` when an empty packet has been received and callers check for this condition, skipping such packets.

11408f0e

2016-06-02T02:34:03

index_read_index: invalidate new paths in tree cache When adding a new entry to an existing index via `git_index_read_index`, be sure to remove the tree cache entry for that new path. This will mark all parent trees as dirty.

80745b12

2016-06-02T01:04:58

index_read_index: set flags for path_len correctly Update the flags to reset the path_len (to emulate `index_insert`)

e755f79f

2016-06-02T00:47:51

index_read_index: differentiate on mode Treat index entries with different modes as different, which they are, at least for the purposes of up-to-date calculations.

e6a0a850

2016-06-01T14:56:27

index_read_index: reset error correctly Clear any error state upon each iteration. If one of the iterations ends (with an error of `GIT_ITEROVER`) we need to reset that error to 0, lest we stop the whole process prematurely.

feea2849

2016-05-26T12:52:29

win32: clean up unused warnings in DllMain

efadf28d

2016-05-26T12:39:09

filebuf: fix uninitialized warning

85ef6ec5

2016-05-12T13:18:07

Ignore submodules when checking for merge conflicts in the workdir.

70681ff7

2016-02-16T21:02:41

checkout: handle dirty submodules correctly Don't generate conflicts when checking out a modified submodule and the submodule is dirty or modified in the workdir.

78b5702e

2016-05-18T16:00:01

Fix comment for GIT_FILEMODE_LINK 0120000 is symbolic link, not commit

849a1a43

2016-05-05T23:34:23

Fix unused variable 'message' warning

cf0396a5

2016-05-02T16:49:59

delta-apply: fix sign extension We compute offsets by executing `off |= (*delta++ << 24)` for multiple constants, where `off` is of type `size_t` and `delta` is of type `unsigned char`. The usual arithmetic conversions (see ISO C89 §3.2.1.5 "Usual arithmetic conversions") kick in here, causing us to promote both operands to `int` and then extending the result to an `unsigned long` when OR'ing it with `off`. The integer promotion to `int` may result in wrong size calculations for big values. Fix the issue by making the constants `unsigned long`, causing both operands to be promoted to `unsigned long`.

1fb8a951

2016-05-02T16:24:14

odb_loose: fix undefined behavior when computing size An object's size is computed by reading the object header's size field until the most significant bit is not set anymore. To get the total size, we increase the shift on each iteration and add the shifted value to the total size. We read the current value into a variable of type `unsigned char`, from which we then take all bits except the most significant bit and shift the result. We will end up with a maximum shift of 60, but this exceeds the width of the value's type, resulting in undefined behavior. Fix the issue by instead reading the values into a variable of type `unsigned long`, which matches the required width. This is equivalent to git.git, which uses an `unsigned long` as well.

f627e196

2016-05-02T15:47:54

checkout: set ignorecase=0 when config lookup fails When `git_repository__cvar` fails we may end up with a `ignorecase` value of `-1`. As we subsequently check if `ignorecase` is non-zero, we may end up reporting that data should be removed when in fact it should not. Err on the safer side and set `ignorecase = 0` when `git_repository__cvar` fails.

66633e83

2016-04-27T12:00:31

odb: avoid inflating the full delta to read the header When we read the header, we want to know the size and type of the object. We're currently inflating the full delta in order to read the first few bytes. This can mean hundreds of kB needlessly inflated for large objects. Instead use a packfile stream to read just enough so we can read the two varints in the header and avoid inflating most of the delta.

fc2ef514

2016-05-02T14:30:14

index: fix memory leak on error case

b726c539

2016-04-26T18:04:03

Fix return value of openssl_read (infinite loop) openssl_read should return -1 in case of error. SSL_read returns values <= 0 in case of error. A return value of 0 can lead to an infinite loop, so the return value of ssl_set_error will be returned if SSL_read is not successful (analog to openssl_write).

16541b86

2016-04-25T12:16:05

tag: ignore extra header fields While no extra header fields are defined for tags, git accepts them by ignoring them and continuing the search for the message. There are a few tags like this in the wild which git parses just fine, so we should do the same.

ccfacb8b

2016-03-31T10:43:57

leaks: call `xdl_free_classifier`

2c1bc36d

2016-03-29T14:47:31

Plug a few leaks

af753aba

2016-03-22T00:18:44

tree: drop the now-unnecessary entries vector Remove the now-unnecessary entries vector. Add `git_array_search` to binary search through an array to accomplish this.

13ebf7bd

2016-03-20T12:01:45

tree: store the entries in a growable array Take advantage of the constant size of tree-owned arrays and store them in an array instead of a pool. This still lets us free them all at once but lets the system allocator do the work of fitting them in.

26f2cefb

2016-03-20T11:00:12

tree: re-use the id and filename in the odb object Instead of copying over the data into the individual entries, point to the originals, which are already in a format we can use.

17789083

2016-04-01T14:33:42

ignore: don't use realpath to canonicalize path If we're looking for a symlink, realpath will give us the resolved path, which is not what we're after, but a canonicalized version of the path the user asked for.

a13c1ec2

2016-03-28T11:13:51

config: don't write section header if we're in it If we hit the EOF while trying to write a new value, it may be that we're already in the section that we were looking for. If so, do not write a (duplicate) section header, just write the value.

3e2e8240

2016-04-11T17:43:07

refs: provide a more general error message for dwim If we cannot dwim the input, set the error message to be explicit about that. Otherwise we leave the error for the last failed lookup, which can be rather unexpected as it mentions a remote when the user thought they were trying to look up a branch.

56da07cb

2016-03-31T11:32:36

xdiff/xprepare: fix a memory leak The xdl_prepare_env() function may initialise an xdlclassifier_t data structure via xdl_init_classifier(), which allocates memory to several fields, for example 'rchash', 'rcrecs' and 'ncha'. If this function later exits due to the failure of xdl_optimize_ctxs(), then this xdlclassifier_t structure, and the memory allocated to it, is not cleaned up. In order to fix the memory leak, insert a call to xdl_free_classifier() before returning. This patch was originally written by Ramsay Jones (see commit 87f16258367a3b9a62663b11f898a4a6f3c19d31 in git.git).

3ec0f2e3

2016-03-31T11:30:31

xdiff/xprepare: use the XDF_DIFF_ALG() macro to access flag bits Commit 307ab20b3 ("xdiff: PATIENCE/HISTOGRAM are not independent option bits", 19-02-2012) introduced the XDF_DIFF_ALG() macro to access the flag bits used to represent the diff algorithm requested. In addition, code which had used explicit manipulation of the flag bits was changed to use the macros. However, one example of direct manipulation remains. Update this code to use the XDF_DIFF_ALG() macro. This patch was originally written by Ramsay Jones (see commit 5cd6978a9cfef58de061a9525f3678ade479564d in git.git).

c86a65be

2016-03-21T21:10:26

config: don't special-case multivars that don't exist yet This special-casing ignores that we might have a locked file, so the hashtable does not represent the contents of the file we want to write. This causes multivar writes to overwrite entries instead of add to them when under lock. There is no need for this as the normal code-path will write to the file just fine, so simply get rid of it.

a1cf2644

2016-03-18T13:00:27

win32: free thread-local data on thread exit

e97d2d70

2016-03-17T10:45:22

commit: fix extraction of single-line signatures The function to extract signatures suffers from a similar bug to the header field finding one by having an unecessary line feed check as a break condition of its loop. Fix that and add a test for this single-line signature situation.

d8fcafb2

2016-03-16T19:05:11

Split the page size from the mmap alignment While often similar, these are not the same on Windows. We want to use the page size on Windows for the pools, but for mmap we need to use the allocation granularity as the alignment. On the other platforms these values remain the same.

4e91020c

2016-03-14T12:41:12

Start error string with lower case character

c1ec732f

2016-03-14T12:02:00

Setup better defaults for OpenSSL ciphers This ensures that when using OpenSSL a safe default set of ciphers is selected. This is done so that the client communicates securely and we don't accidentally enable unsafe ciphers like RC4, or even worse some old export ciphers. Implements the first part of https://github.com/libgit2/libgit2/issues/3682

89e7604c

2016-03-10T17:21:02

config_cache: check return value of `git_config__lookup_entry` Callers of `git_config__cvar` already handle the case where the function returns an error due to a failed configuration variable lookup, but we are actually swallowing errors when calling `git_config__lookup_entry` inside of the function. Fix this by returning early when `git_config__lookup_entry` returns an error. As we call `git_config__lookup_entry` with `no_errors == false` which leads us to call `get_entry` with `GET_NO_MISSING` we will not return early when the lookup fails due to a missing entry. Like this we are still able to set the default value of the cvar and exit successfully.

18c4ae70

2016-03-10T17:05:30

filebuf: handle write error in `lock_file` When writing to a file with locking not check if writing the locked file actually succeeds. Fix the issue by returning error code and message when writing fails.

f17ed637

2016-03-10T16:42:55

blame: handle error when resoling HEAD in normalize_options When normalizing options we try to look up HEAD's OID. While this action may fail in malformed repositories we never check the return value of the function. Fix the issue by converting `normalize_options` to actually return an error and handle the error in `git_blame_file`.

8d3ee96a

2016-03-10T16:11:51

refdb_fs: fail if refcache returns NULL pointer We usually check entries returned by `git_sortedcache_entry` for NULL pointers. As we have a write lock in `packed_write`, though, it really should not happen that the function returns NULL. Assert that ref is not NULL to silence a Coverity warning.

851c51ab

2016-03-10T10:40:47

diff_tform: fix potential NULL pointer access When the user passes in a diff which has no repository associated we may call `git_config__get_int_force` with a NULL-pointer configuration. Even though `git_config__get_int_force` is designed to swallow errors, it is not intended to be called with a NULL pointer configuration. Fix the issue by only calling `git_config__get_int_force` only when configuration could be retrieved from the repository.

d96c0638

2016-03-01T19:11:33

submodule: avoid passing NULL pointers to strncmp In C89 it is undefined behavior to pass `NULL` pointers to `strncmp` and later on in C99 it has been explicitly stated that functions with an argument declared as `size_t nmemb` specifying the array length shall always have valid parameters, no matter if `nmemb` is 0 or not (see ISO 9899 §7.21.1.2). The function `str_equal_no_trailing_slash` always passes its parameters to `strncmp` if their lengths match. This means if one parameter is `NULL` and the other one either `NULL` or a string with length 0 we will pass the pointers to `strncmp` and cause undefined behavior. Fix this by explicitly handling the case when both lengths are 0.

1a16e8b0

2016-03-01T17:55:40

pack-objects: fix memory leak on overflow

e114bbac

2016-03-01T16:00:49

index: assert required OID are non-NULL

d0780b81

2016-03-01T15:35:45

object: avoid call of memset with ouf of bounds pointer When computing a short OID we do this by first copying the leading parts into the new OID structure and then setting the trailing part to zero. In the case of the desired length being `GIT_OID_HEXSZ - 1` we will call `memset` with an out of bounds pointer and a length of 0. While this seems to cause no problems for common platforms the C89 standard does not explicitly state that calling `memset` with an out of bounds pointer and length of 0 is valid. Fix the potential issue by using the newly introduced `git_oid__cpy_prefix` function.

dd78d7d1

2016-03-10T16:33:49

blame_git: handle error returned by `git_commit_parent`

fa4b93a6

2016-04-11T15:57:23

backport git_oid__cpy_prefix

e39ad747

2016-03-01T14:40:17

config_file: handle missing quotation marks in section header When parsing a section header we expect something along the format of '[section "subsection"]'. When a section is mal-formated and is entirely missing its quotation marks we catch this case by observing that `strchr(line, '"') - strrchr(line, '"') = NULL - NULL = 0` and error out. Unfortunately, the error message is misleading though, as we state that we are missing the closing quotation mark while we in fact miss both quotation marks. Improve the error message by explicitly checking if the first quotation mark could be found and, if not, stating that quotation marks are completely missing.

ffb1f419

2016-03-01T14:24:09

describe: handle error code returned by git_pqueue_insert

4ebf745f

2016-03-09T11:16:16

mwindow: free unused windows if we fail to mmap The first time may be due to memory fragmentation or just bad luck on a 32-bit system. When we hit the mmap error for the first time, free up the unused windows and try again.

9ee498e8

2016-03-08T10:16:37

Only buffer if necessary.

eb09ead2

2016-03-04T01:18:30

odb: improved not found error messages When looking up an abbreviated oid, show the actual (abbreviated) oid the caller passed instead of a full (but ambiguously truncated) oid.

cdded630

2016-01-13T11:07:14

Remove duplicated calls to git_mwindow_close

e3862c9f

2016-01-11T17:09:32

Buffer sideband packet data The inner packet may be split across multiple sideband packets.

8ec3d88f

2015-12-24T10:04:44

Avoid subtraction overflow in git_indexer_commit

4a93a7fc

2015-12-28T11:37:39

Tabs

e44f6586

2015-12-28T07:43:24

Removing #define for SSH_PREFIX_COUNT and using ARRAY_SIZE instead Also moving var declarations to top of blocks to support bad old compilers

ff8e3f0e

2015-12-22T10:38:31

Handle git+ssh:// and ssh+git:// protocols support

ea5bf6bb

2016-03-04T12:34:38

treebuilder: don't try to verify submodules exist in the odb Submodules don't exist in the objectdb and the code is making us try to look for a blob with its commit id, which is obviously not going to work. Skip the test if the user wants to insert a submodule.

22f3d3aa

2016-03-03T22:26:31

ssh: initialize libssh2 We should have been doing this, but it initializes itself upon first use, which works as long as nobody's doing concurrent network operations. Initialize it on our init to make sure it's not getting initialized concurrently.

66a530eb

2016-03-03T20:11:18

Merge pull request #3648 from libgit2/cmn/auth-retry test: make sure we retry the auth callback on all platforms

778fb695

2016-03-03T12:14:02

Merge pull request #3646 from pks-t/pks/xdiff-fix-from-upstream xdiff: fix memleak on error case

a4cba9d4

2016-03-03T10:48:24

winhttp: retry authentication If the caller has provided bad authentication, give them another apportunity to get it right until they give up. This brings WinHTTP in line with the other transports.

edaffe22

2016-03-01T17:16:27

Merge pull request #3633 from ethomson/safe_creation Stricter object dependency checking during creation

a4ea7faa

2016-03-01T08:54:00

xdiff: fix memleak on error case Commit 3d1abc5afce fixes a memory leak in the xdiff code. In the process of upstreaming the fix it was pointed out by Johannes Schindelin that there is another memory leak present (see [1]). Fix the second memory leak by applying the upstream fix to our code base. [1]: http://thread.gmane.org/gmane.comp.version-control.git/287034

dbee6835

2016-02-28T20:13:24

Merge pull request #3567 from sba1/few-p_getaddrinfo-fixes Few p_getaddrinfo fixes

f2dddf52

2016-02-28T15:51:38

turn on strict object validation by default

98c34149

2016-02-28T15:11:15

refs: honor strict object creation

3ef01e77

2016-02-28T14:37:37

git_object__is_valid: use `odb_read_header` This allows lighter weight validation in `git_object__is_valid` that does not require reading the entire object.

6ddf533a

2016-02-23T18:29:16

git_index_add: validate objects in index entries (optionally) When `GIT_OPT_ENABLE_STRICT_OBJECT_CREATION` is turned on, validate the index entries given to `git_index_add`.

2bbc7d3e

2016-02-23T15:00:27

treebuilder: validate tree entries (optionally) When `GIT_OPT_ENABLE_STRICT_OBJECT_CREATION` is turned on, validate the tree and parent ids given to treebuilder insertion.

ef63bab3

2016-02-23T13:34:35

git_commit: validate tree and parent ids When `GIT_OPT_ENABLE_STRICT_OBJECT_CREATION` is turned on, validate the tree and parent ids given to commit creation functions.

7565dc65

2016-02-23T13:33:10

git_object__is_valid: simple object validity test

22a19f5b

2016-02-22T23:46:50

git_libgit2_opts: introduce `GIT_OPT_ENABLE_STRICT_OBJECT_CREATION`

6cc4bac8

2016-02-28T11:31:10

Merge pull request #3577 from rossdylan/rossdylan/pooldebug Add a new build flag to disable the pool allocator

93e16642

2016-02-26T12:51:13

Fixed typo in one of the ifndef's in pool.h used to enable/disable debug mode

9f4e7c84

2016-02-25T18:42:09

Merge pull request #3638 from ethomson/nsec USE_NSECS fixes

0d9a7498

2016-02-25T12:09:49

Merge pull request #3628 from pks-t/pks/coverity-fixes Coverity fixes

fd129f28

2016-02-25T11:59:00

Merge pull request #3630 from libgit2/cmn/idx-extra-check Extra checks for packfile indices

3d6a42d1

2016-02-25T11:23:19

nsec: support NDK's crazy nanoseconds Android NDK does not have a `struct timespec` in its `struct stat` for nanosecond support, instead it has a single nanosecond member inside the struct stat itself. We will use that and use a macro to expand to the `st_mtim` / `st_mtimespec` definition on other systems (much like the existing `st_mtime` backcompat definition).

6d97beb9

2016-02-25T15:46:59

pack: don't allow a negative offset

ea9e00cb

2016-02-23T18:15:43

pack: make sure we don't go out of bounds for extended entries A corrupt index might have data that tells us to go look past the end of the file for data. Catch these cases and return an appropriate error message.

68ad3156

2016-02-24T17:17:57

openssl: we already had the function, just needed the header

f3d1be7d

2016-02-24T16:38:22

openssl: export the locking function when building without OpenSSL This got lost duing the move and it lets the users call this function just in case.

04c3b35f

2016-02-23T13:02:07

map: use `giterr_set` internally Use the `giterr_set` function, which actually supports `GITERR_OS`. The `giterr_set_str` function is exposed for external users and will not append the operating system's error message.

32f07984

2016-02-23T11:07:03

diff_tform: fix potential NULL pointer access The `normalize_find_opts` function in theory allows for the incoming diff to have no repository. When the caller does not pass in diff find options or if the GIT_DIFF_FIND_BY_CONFIG value is set, though, we try to derive the configuration from the diff's repository configuration without first verifying that the repository is actually set to a non-NULL value. Fix this issue by explicitly checking if the repository is set and if it is not, fall back to a default value of GIT_DIFF_FIND_RENAMES.

3d1abc5a

2016-02-22T17:13:23

xmerge: fix memory leak on error path

05bf67b9

2016-02-23T11:16:36

openssl_stream: fix NULL pointer dereference

2baf854e

2016-02-22T16:08:56

openssl_stream: fix memory leak when creating new stream

2afb6fa4

2016-02-22T16:05:13

rebase: plug memory leak in `rebase_alloc` Convert `rebase_alloc` to use our usual error propagation patterns, that is accept an out-parameter and return an error code that is to be checked by the caller. This allows us to use the GITERR_CHECK_ALLOC macro, which helps static analysis.

d0cb11e7

2016-02-22T16:01:03

remote: set error code in `create_internal` Set the error code when an error occurs in any of the called functions. This ensures we pass the error up to callers and actually free the remote when an error occurs.

0f1e2d20

2016-02-23T11:23:26

index: fix contradicting comparison The overflow check in `read_reuc` tries to verify if the `git__strtol32` parses an integer bigger than UINT_MAX. The `tmp` variable is casted to an unsigned int for this and then checked for being greater than UINT_MAX, which obviously can never be true. Fix this by instead fixing the `mode` field's size in `struct git_index_reuc_entry` to `uint32_t`. We can now parse the int with `git__strtol64`, which can never return a value bigger than `UINT32_MAX`, and additionally checking if the returned value is smaller than zero. We do not need to handle overflows explicitly here, as `git__strtol64` returns an error when the returned value would overflow.

7808c937

2016-02-22T15:59:15

index: plug memory leak in `read_conflict_names`

003c5e46

2016-02-22T15:52:49

transports: smart_pkt: fix memory leaks on error paths

793e0855

2016-02-22T14:06:48

refdb_fs: remove unnecessary check for NULL The fail-label of `reflog_parse` explicitly checks the entry poitner for NULL before freeing it. When we jump to the label the variable has to be set to a non-NULL and valid pointer though: if the allocation fails we immediately return with an error code and if the loop was not entered we return with a success code, withouth executing the label's code. Remove the useless NULL-check to silence Coverity.

be8479c9

2016-02-22T14:01:50

diff_print: assert patch is non-NULL When invoking `diff_print_info_init_frompatch` it is obvious that the patch should be non-NULL. We explicitly check if the variable is set and continue afterwards, happily dereferencing the potential NULL-pointer. Fix this by instead asserting that patch is set. This also silences Coverity.

bac52ab0

2016-02-22T13:48:45

pack-objects: return early when computing write order fails The function `compute_write_order` may return a `NULL`-pointer when an error occurs. In such cases we jump to the `done`-label where we try to clean up allocated memory. Unfortunately we try to deallocate the `write_order` array, though, which may be NULL here. Fix this error by returning early instead of jumping to the `done` label. There is no data to be cleaned up anyway.

d1c9a48d

2016-02-23T10:45:09

pack-objects: check realloc in try_delta with GITERR_CHECK_ALLOC

2129d6df

2016-02-22T13:33:48

crlf: do not ignore GIT_PASSTHROUGH error When no payload is set for `crlf_apply` we try to compute the crlf attributes ourselves with `crlf_check`. When the function determines that the current file does not require any treatment we return the GIT_PASSTHROUGH error code without actually allocating the out-pointer, which indicates the file should not be passed through the filter. The `crlf_apply` function explicitly checks for the GIT_PASSTHROUGH return code and ignores it. This means we will try to apply the crlf-filter to the current file, leading us to dereference the unallocated payload-pointer. Fix this obviously incorrect behavior by not treating GIT_PASSTHROUGH in any special way. This is the correct thing to do anyway, as the code indicates that the file should not be passed through the filter.

thodg/libgit2/src

src

Log