kmx git

Commit	Date	Message
4ff829e9	2018-06-30T17:20:03	apply tests: test index+workdir application Test application with `GIT_APPLY_LOCATION_BOTH`, which emulates `git apply --index`, updating both the index and the working directory with the postimage.
dddfff77	2018-06-30T17:12:16	apply: convert checkout conflicts to apply failures When there's a checkout conflict during apply, that means that the working directory was modified in a conflicting manner and the postimage cannot be written. During application, convert this to an application failure for consistency across workdir/index/both applications.
771bd81e	2018-06-29T12:40:16	apply tests: ensure apply failures leave index unmodified
5b66b667	2018-06-29T12:39:41	apply: when preimage file is missing, return EAPPLYFAIL The preimage file being missing entirely is simply a case of an application failure; return the correct error value for the caller.
9db66c79	2018-06-29T12:50:38	apply test: apply with non-conflicting changes Ensure that we can apply to the working directory or the index when the application target is modified, so long as there are not conflicting changes to the items.
e0224121	2018-06-29T12:09:02	apply: simplify checkout vs index application Separate the concerns of applying via checkout and updating the repository's index. This results in simpler functionality and allows us to not build the temporary collection of paths in the index case.
d7090ee4	2018-06-28T17:26:24	apply tests: ensure we can add and remove files from the index Add a test that adds a new file, and another that removes a file when applying using `GIT_APPLY_LOCATION_INDEX` to ensure that they work.
553395dc	2018-06-25T20:21:01	apply: test that the index is not modified Ensure that by default, when using GIT_APPLY_LOCATION_WORKDIR, that patch application does not update the index, only the working directory.
0eb63b9f	2018-06-25T19:50:35	apply tests: separate common patch hunks Move the commonly-used patch hunks into a single constant location. This allows us to avoid re-declaring them in each test, and allows us to compose them to build a larger patch file that includes all the hunks.
20f8a6db	2018-06-28T17:26:21	apply: remove deleted paths from index We update the index with the new_file side of the delta, but we need to explicitly remove the old_file path in the case where an item was deleted or renamed.
702d4bec	2018-06-26T15:26:37	apply tests: use `git_iterator_foreach` for tests Use the new `git_iterator_foreach` API to validate the workdir against the expected workdir values instead of using the paired/multi iterator comparison callback. This allows us to use the `git_iterator_foreach` to validate the index as well, instead of assuming that the index and HEAD must always match.
d54aa9ae	2018-06-26T15:25:30	iterator: introduce `git_iterator_foreach` Introduce a `git_iterator_foreach` helper function which invokes a callback on all files for a given iterator.
9d81defa	2018-06-28T16:26:08	apply tests: GIT_APPLY_LOCATION_INDEX with parsed patches
9c34c996	2018-06-25T17:03:14	apply: handle file additions Don't attempt to read the postimage file during a file addition, simply use an empty buffer as the postimage. Also, test that we can handle file additions.
3b5378c5	2018-06-25T16:27:06	apply: handle file deletions If the file was deleted in the postimage, do not attempt to update the target. Instead, ignore it and simply allow it to stay removed in our computed postimage. Also, test that we can handle file deletions.
eef34e4e	2018-06-28T16:24:21	apply tests: GIT_APPLY_LOCATION_INDEX with generated patches Test a simple patch application with `GIT_APPLY_LOCATION_INDEX`, which emulates `git apply --cached`.
af3287f8	2018-06-22T19:27:19	apply: test `git_apply` with a parsed patch Ensure that we can apply a simple patch to the working directory when we have parsed it from a patch file.
ff296b71	2018-03-19T19:50:52	apply: test `git_apply` application to a workdir Introduce a standard test applying a diff to a working directory with no complications.
c010c93b	2018-06-27T16:50:07	apply tests: move helpers into common area
f83bbe0a	2018-03-19T19:50:45	apply: introduce `git_apply` Introduce `git_apply`, which will take a `git_diff` and apply it to the working directory (akin to `git apply`), the index (akin to `git apply --cached`), or both (akin to `git apply --index`).
664cda6f	2018-03-19T20:10:38	apply: reimplement `git_apply_tree` with readers The generic `git_reader` interface simplifies `git_apply_tree` somewhat. Reimplement `git_apply_tree` with them.
35d525b0	2018-06-26T09:19:12	apply: test that failures don't dirty workdir Ensure that when a patch application fails (due to a conflict in the working directory, for example) that we do not half-apply the patch or otherwise leave the working directory dirty. This is rather obvious in our current apply implementation (we do a two step process: one to create the post-image and one to check it out) but this test is a safety net for future refactoring or improvements.
d73043a2	2018-03-19T20:10:31	reader: a generic way to read files from repos Similar to the `git_iterator` interface, the `git_reader` interface will allow us to read file contents from an arbitrary repository-backed data source (trees, index, or working directory).
2bd3cfea	2018-06-29T11:43:55	apply tests: modified wd items are ok when applying to index When applying to the index (using `GIT_APPLY_LOCATION_INDEX`), ensure that items modified in the working directory do not conflict with the application.
c3077ea0	2018-06-25T21:24:49	apply: return a specific exit code on failure Return `GIT_EAPPLYFAIL` on patch application failure so that users can determine that patch application failed due to a malformed/conflicting patch by looking at the error code.
973bf0c8	2018-06-25T20:49:22	apply: test a patch can be applied even with a modified index Ensure that we can apply a patch to the working directory, even to files that are modified in the index (as long as the working directory contents match the preimage - such that the working directory is unmodified from HEAD).
02b1083a	2018-01-28T23:25:07	apply: introduce `git_apply_tree` Introduce `git_apply_tree`, which will apply a `git_diff` to a given `git_tree`, allowing an in-memory patch application for a repository.
2b12dcf6	2018-03-19T19:45:11	iterator: optionally hash filesystem iterators Optionally hash the contents of files encountered in the filesystem or working directory iterators. This is not expected to be used in production code paths, but may allow us to simplify some test contexts. For working directory iterators, apply filters as appropriate, since we have the context able to do it.
b5ae83bf	2018-10-31T08:47:10	Merge pull request #4860 from tiennou/ci/macos-leaks CI: Fix macOS leak detection
8c49b3bf	2018-10-30T22:32:57	tests: use CLAR_AT_EXIT to check for leaks on macOS
0e69485e	2018-10-23T20:34:47	clar: provide a way to run some shell before exiting
79558009	2018-10-26T15:40:16	Merge pull request #4800 from libgit2/ethomson/badgification README: more CI status badges
b7174dde	2018-10-26T14:59:50	Merge pull request #4867 from libgit2/ethomson/ci ci: Fix some minor issues
f195c385	2018-10-26T14:10:13	nightly: the path to yaml templates is relative Don't prefix the path to the yaml templates - the nightly template itself is already in the `azure-pipelines` directory. Instead, just use the relative path.
f22521ef	2018-10-26T12:31:39	ci: fail if requested test name is not found (unix) POSIX: the CMakeLists.txt configures the test names; when we query ctest for the test command-line to run, fail if the tests are not found.
05c51bb6	2018-10-26T06:35:57	ci: fail if requested test name is not found (win32) Win32: The CMakeLists.txt configures the test names; when we query ctest for the test command-line to run, fail if the tests are not found.
623647af	2018-10-26T12:33:59	Merge pull request #4864 from pks-t/pks/object-parse-fixes Object parse fixes
814389d4	2018-10-25T23:40:19	Merge pull request #4862 from libgit2/ethomson/win_ci Windows CI: fail build on test failure
cd248c70	2018-10-25T23:25:09	Merge pull request #4863 from libgit2/ethomson/ci_nightly ci: run all the jobs during nightly builds
be5a2ae2	2018-10-25T23:19:42	ci: run all the jobs during nightly builds Instead of running the oddball builds, run all the builds (the ones that we always run during PR validation and CI) during a nightly build for increased coverage.
0e26717a	2018-10-25T14:26:28	ci: fail on test failures PowerShell can _read_ top-level variables in functions, but cannot _update_ top-level variables in functions unless they're explicitly prefixed with `$global`.
7655b2d8	2018-10-19T10:29:19	commit: fix reading out of bounds when parsing encoding The commit message encoding is currently being parsed by the `git__prefixcmp` function. As this function does not accept a buffer length, it will happily skip over a buffer's end if it is not `NUL` terminated. Fix the issue by using `git__prefixncmp` instead. Add a test that verifies that we are unable to parse the encoding field if it's cut off by the supplied buffer length.
c2e3d8ef	2018-10-25T12:01:18	tests: add tests that exercise commit parsing We currently do not have any test suites dedicated to parsing commits from their raw representations. Add one based on `git_object__from_raw` to be able to test special cases more easily.
ee11d47e	2018-10-19T09:47:50	tag: fix out of bounds read when searching for tag message When parsing tags, we skip all unknown fields that appear before the tag message. This skipping is done by using a plain `strstr(buffer, "\n\n")` to search for the two newlines that separate tag fields from tag message. As it is not possible to supply a buffer length to `strstr`, this call may skip over the buffer's end and thus result in an out of bounds read. As `strstr` may return a pointer that is out of bounds, the following computation of `buffer_end - buffer` will overflow and result in an allocation of an invalid length. Fix the issue by using `git__memmem` instead. Add a test that verifies parsing the tag fails not due to the allocation failure but due to the tag having no message.
4c738e56	2018-10-19T09:44:14	tests: add tests that exercise tag parsing While the tests in object::tag::read exercises reading and parsing valid tags from the ODB, they barely try to verify that the parser fails in a sane way when parsing invalid tags. Create a new test suite object::tag::parse that directly exercise the parser by using `git_object__from_raw` and add various tests for valid and invalid tags.
83e8a6b3	2018-10-18T16:08:46	util: provide `git__memmem` function Unfortunately, neither the `memmem` nor the `strnstr` functions are part of any C standard but are merely extensions of C that are implemented by e.g. glibc. Thus, there is no standardized way to search for a string in a block of memory with a limited size, and using `strstr` is to be considered unsafe in case where the buffer has not been sanitized. In fact, there are some uses of `strstr` in exactly that unsafe way in our codebase. Provide a new function `git__memmem` that implements the `memmem` semantics. That is in a given haystack of `n` bytes, search for the occurrence of a byte sequence of `m` bytes and return a pointer to the first occurrence. The implementation chosen is the "Not So Naive" algorithm from [1]. It was chosen as the implementation is comparably simple while still being reasonably efficient in most cases. Preprocessing happens in constant time and space, searching has a time complexity of O(n*m) with a slightly sub-linear average case. [1]: http://www-igm.univ-mlv.fr/~lecroq/string/
bea65980	2018-10-25T11:21:14	Merge pull request #4851 from pks-t/pks/strtol-removal strtol removal
11945461	2018-10-25T11:17:52	Merge pull request #4854 from libgit2/ethomson/buf_oom_test buf::oom tests: use custom allocator for oom failures
fa274f7f	2018-10-23T22:34:45	ci: redirect the malloc debugging output to /dev/null
2e34efaa	2018-10-21T13:10:06	buf::oom tests: use custom allocator for oom failures Create a custom allocator for the `buf::oom` tests that will fail with out-of-memory errors in predictable ways. We were previously trying to guess the way that various allocators on various platforms would fail in a way such that `malloc`/`realloc` would return `NULL` (instead of aborting the application, or appearing suspicious to various instrumentation or static code analysis tools like valgrind.) Introduce a fake `malloc` and `realloc` that will return `NULL` on allocations requesting more than 100 bytes. Otherwise, we proxy to the default allocator. (It's important to use the _default_ allocator, not just call `malloc`, since the default allocator on Windows CI builds may be the debugging C runtime allocators which would not be compatible with a standard `malloc`.)
305e801a	2018-10-21T09:52:32	util: allow callers to reset custom allocators Provide a utility to reset custom allocators back to their default. This is particularly useful for testing.
671b2446	2018-10-21T12:50:46	Merge pull request #4804 from libgit2/ethomson/qemu-build ci: arm docker builds
7c557169	2018-10-21T10:34:38	ci: use trusty-amd64 for openssl and mbedtls We don't need two separate docker images for OpenSSL and mbedTLS. They've been combined into a single image `trusty-amd64` that supports both.
415a8ae9	2018-09-13T13:27:07	tests: don't run buf::oom on 32-bit systems On a 32-bit Linux systems, the value large enough to make malloc guarantee a failure is also large enough that valgrind considers it "fishy". Skip this test on those systems entirely.
9cc4ba5c	2018-09-13T16:12:41	valgrind: extend the suppressions file Newer dependencies means newer places to leak!
d82800e8	2018-10-21T09:31:42	ci: use bionic for non-amd64 builds Use Bionic so that we have a modern libssh2 (for communicating with GitHub). We've ported fixes to our Trusty-based amd64 images, but maintaining patches for multiple platforms is heinous.
b244ea79	2018-10-21T09:24:08	ci: introduce nightly x86 linux builds
f195395a	2018-10-21T09:16:35	ci: bind specifically to localhost for proxy Bind the proxy specifically to 127.0.0.1 instead of all addresses. This is not strictly necessary for operations, but having a potentially open proxy on a network is not a good idea.
0e521abd	2018-10-21T09:15:24	ci: introduce nightly arm docker builds Use multiarch arm32 and arm64 docker images to run Xenial-based images for those platforms. We can support all the tests on ARM32 and 64 _except_ the proxy-based tests. Our proxy on ARM seems regrettably unstable, either due to some shoddy dependencies (with native code?) or the JREs themselves. Run these platforms as part of our nightly builds; do not run them during pull request or CI validation.
28f05585	2018-10-21T09:20:10	ci: reorganize naming for consistency
4ec597dc	2018-10-21T09:12:43	ci: move configuration yaml to its own directory As the number of each grow, separate the CI build scripts from the YAML definitions.
7c791f3d	2018-10-20T20:25:51	Merge pull request #4852 from libgit2/ethomson/unc_paths Win32 path canonicalization refactoring
6cc14ae3	2018-10-20T20:22:04	Merge pull request #4840 from libgit2/cmn/validity-tree-from-unowned-index Check object existence when creating a tree from an index
a2f9f94b	2018-10-20T20:18:04	Merge branch 'issue-4203'
32b81661	2018-10-20T20:16:32	merge: don't leak the index during reloads
c79e6081	2018-10-20T19:08:16	checkout: fix test fixture missing objects The testrepo test fixture has an index file that's damaged, missing an object. The index previously had an entry of `src/index.c` with id 3161df8cbf3a006b4ef85be6497a0ea6bde98541, but that object was missing in the repository. This commit adds an object to the repository and updates the index to use that existing blob. Similarly, the index has an entry for `readme` with an id of 97328ac7e3bd0bcd3900cb3e7a624d71dd0df888. This can be restored from other test repositories. With these fixed, now the write tree from index tests can pass since they validate object existence.
2ad07ad5	2018-10-20T18:14:25	Merge pull request #4841 from tiennou/ci/ninja-build Ninja build
f77e6cc7	2018-10-19T17:10:01	ci: make the Ubuntu/OpenSSL build explicit
6a67e42d	2018-10-08T19:33:27	ci: use Ninja on macOS
0fccf017	2018-10-19T15:48:46	Merge pull request #4853 from libgit2/cmn/not-opaque docs: fix transparent/opaque confusion in the conventions file
69cd4141	2018-10-19T16:30:43	docs: fix transparent/opaque confusion in the conventions file
0a4284b1	2018-10-19T14:54:13	Merge pull request #4819 from libgit2/cmn/config-nonewline Configuration variables can appear on the same line as the section header
ea19efc1	2018-10-18T15:08:56	util: fix out of bounds read in error message When an integer that is parsed with `git__strntol32` is too big to fit into an int32, we will generate an error message that includes the actual string that failed to parse. This does not acknowledge the fact that the string may either not be NUL terminated or alternative include additional characters after the number that is to be parsed. We may thus end up printing characters into the buffer that aren't the number or, worse, read out of bounds. Fix the issue by utilizing the `endptr` that was set by `git__strntol64`. This pointer is guaranteed to be set to the first character following the number, and we can thus use it to compute the width of the number that shall be printed. Create a test to verify that we correctly truncate the number.
a34f5b0d	2018-10-18T08:57:27	win32: refactor `git_win32_path_remove_namespace` Update `git_win32_path_remove_namespace` to disambiguate the prefix being removed versus the prefix being added. Now we remove the "namespace", and (may) add a "prefix" in its place. Eg, we remove the `\\?\` namespace. We remove the `\\?\UNC\` namespace, and replace it with the `\\` prefix. This aids readability somewhat. Additionally, use pointer arithmetic instead of offsets, which seems to also help readability.
16fd9ba9	2018-10-17T11:34:38	win32: more tests for `git_win32_remove_path`
b2e85f98	2018-10-17T08:48:43	win32: rename `git_win32__canonicalize_path` The internal API `git_win32__canonicalize_path` is far, far too easily confused with the internal API `git_win32_path_canonicalize`. The former removes the namespace prefix from a path (eg, given `\\?\C:\Temp\foo`, it returns `C:\Temp\foo`, and given `\\?\UNC\server\share`, it returns `\\server\share`). As such, rename it to `git_win32_path_remove_namespace`. `git_win32_path_canonicalize` remains unchanged.
b09c1c7b	2018-10-18T14:37:55	util: avoid signed integer overflows in `git__strntol64` While `git__strntol64` tries to detect integer overflows when doing the necessary arithmetics to come up with the final result, it does the detection only after the fact. This check thus relies on undefined behavior of signed integer overflows. Fix this by instead checking up-front whether the multiplications or additions will overflow. Note that a detected overflow will not cause us to abort parsing the current sequence of digits. In the case of an overflow, previous behavior was to still set up the end pointer correctly to point to the first character immediately after the currently parsed number. We do not want to change this now as code may rely on the end pointer being set up correctly even if the parsed number is too big to be represented as 64 bit integer.
39087ab8	2018-10-18T12:11:33	tests: core::strtol: test for some more edge-cases Some edge cases were currently completely untested, e.g. parsing numbers greater than INT64_{MIN,MAX}, truncating buffers by length and invalid characters. Add tests to verify that the system under test performs as expected.
8d7fa88a	2018-10-18T12:04:07	util: remove `git__strtol32` The function `git__strtol32` can easily be misused when untrusted data is passed to it that may not have been sanitized with trailing `NUL` bytes. As all usages of this function have now been removed, we can remove this function altogether to avoid future misuse of it.
2613fbb2	2018-10-18T11:58:14	global: replace remaining use of `git__strtol32` Replace remaining uses of the `git__strtol32` function. While these uses are all safe as the strings were either sanitized or from a trusted source, we want to remove `git__strtol32` altogether to avoid future misuse.
21652ee9	2018-10-18T11:43:30	tree-cache: avoid out-of-bound reads when parsing trees We use the `git__strtol32` function to parse the child and entry count of treecaches from the index, which do not accept a buffer length. As the buffer that is being passed in is untrusted data and may thus be malformed and may not contain a terminating `NUL` byte, we can overrun the buffer and thus perform an out-of-bounds read. Fix the issue by uzing `git__strntol32` instead.
68deb2cc	2018-10-18T11:37:10	util: remove unsafe `git__strtol64` function The function `git__strtol64` does not take a maximum buffer length as parameter. This has led to some unsafe usages of this function, and as such we may consider it as being unsafe to use. As we have now eradicated all usages of this function, let's remove it completely to avoid future misuse.
1a2efd10	2018-10-18T11:35:08	config: remove last instance of `git__strntol64` When parsing integers from configuration values, we use `git__strtol64`. This is fine to do, as we always sanitize values and can thus be sure that they'll have a terminating `NUL` byte. But as this is the last call-site of `git__strtol64`, let's just pass in the length explicitly by calling `strlen` on the value to be able to remove `git__strtol64` altogether.
3db9aa6f	2018-10-18T11:32:48	signature: avoid out-of-bounds reads when parsing signature dates We use `git__strtol64` and `git__strtol32` to parse the trailing commit or author date and timezone of signatures. As signatures are usually part of a commit or tag object and thus essentially untrusted data, the buffer may be misformatted and may not be `NUL` terminated. This may lead to an out-of-bounds read. Fix the issue by using `git__strntol64` and `git__strntol32` instead.
600ceadd	2018-10-18T11:29:06	index: avoid out-of-bounds read when reading reuc entry stage We use `git__strtol64` to parse file modes of the index entries, which does not limit the parsed buffer length. As the index can be essentially treated as "untrusted" in that the data stems from the file system, it may be misformatted and may not contain terminating `NUL` bytes. This may lead to out-of-bounds reads when trying to parse index entries with such malformatted modes. Fix the issue by using `git__strntol64` instead.
1a3fa1f5	2018-10-18T11:25:59	commit_list: avoid use of strtol64 without length limit When quick-parsing a commit, we use `git__strtol64` to parse the commit's time. The buffer that's passed to `commit_quick_parse` is the raw data of an ODB object, though, whose data may not be properly formatted and also does not have to be `NUL` terminated. This may lead to out-of-bound reads. Use `git__strntol64` to avoid this problem.
f010b66b	2018-10-17T14:33:47	Merge pull request #4849 from libgit2/cmn/expose-gitfile-check path: export the dotgit-checking functions
5be63f6d	2018-10-17T10:01:22	Merge pull request #4850 from libgit2/ethomson/libssh2_not_libssh cmake: correct comment from libssh to libssh2
b160a64f	2018-10-17T09:38:30	cmake: correct comment from libssh to libssh2 We use libssh2. We do not use libssh. Make sure to disambiguate them correctly.
7615794c	2018-10-15T18:08:13	Merge pull request #4845 from pks-t/pks/object-fuzzer Object parsing fuzzer
9b6e4081	2018-10-15T17:08:38	Merge commit 'afd10f0' (Follow 308 redirects)
05e54e00	2018-10-15T13:54:17	path: export the dotgit-checking functions These checks are preformed by libgit2 on checkout, but they're also useful for performing checks in applications which do not involve checkout. Expose them under `sys/` as it's still fairly in the weeds even for this library.
1d718fa5	2018-09-28T11:55:34	config: variables might appear on the same line as a section header While rare and a machine would typically not generate such a configuration file, it is nevertheless valid to write [foo "bar"] baz = true and we need to deal with that instead of assuming everything is on its own line.
1cbc9604	2018-09-28T10:57:50	config: add failing test for no newline after section header
afd10f0b	2018-10-13T09:31:20	Follow 308 redirects (as used by GitLab)
814e7acb	2018-10-12T12:38:06	Merge pull request #4842 from nelhage/fuzz-config-memory config: Port config_file_fuzzer to the new in-memory backend.
463c21e2	2018-10-11T13:27:06	Apply code review feedback
a1d5fd06	2018-10-11T12:46:11	fuzzers: add object parsing fuzzer Add a simple fuzzer that exercises our object parser code. The fuzzer is quite trivial in that it simply passes the input data directly to `git_object__from_raw` for each of the four object types.
6562cdda	2018-10-11T12:43:08	object: properly propagate errors on parsing failures When failing to parse a raw object fromits data, we free the partially parsed object but then fail to propagate the error to the caller. This may lead callers to operate on objects with invalid memory, which will sooner or later cause the program to segfault. Fix the issue by passing up the error code returned by `parse_raw`.
6956a954	2018-10-11T12:26:44	fuzzers: initialize libgit2 in standalone driver The standalone driver for libgit2's fuzzing targets makes use of functions from libgit2 itself. While this is totally fine to do, we need to make sure to always have libgit2 initialized via `git_libgit2_init` before we call out to any of these. While this happens in most cases as we call `LLVMFuzzerInitialize`, which is provided by our fuzzers and which right now always calls `git_libgit2_init`, one exception to this rule is our error path when not enough arguments have been given. In this case, we will call `git_vector_free_deep` without libgit2 having been initialized. As we did not set up our allocation functions in that case, this will lead to a segmentation fault. Fix the issue by always initializing and shutting down libgit2 in the standalone driver. Note that we cannot let this replace the initialization in `LLVMFuzzerInitialize`, as it is required when using the "real" fuzzers by LLVM without our standalone driver. It's no problem to call the initialization and deinitialization functions multiple times, though.

4ff829e9

2018-06-30T17:20:03

apply tests: test index+workdir application Test application with `GIT_APPLY_LOCATION_BOTH`, which emulates `git apply --index`, updating both the index and the working directory with the postimage.

dddfff77

2018-06-30T17:12:16

apply: convert checkout conflicts to apply failures When there's a checkout conflict during apply, that means that the working directory was modified in a conflicting manner and the postimage cannot be written. During application, convert this to an application failure for consistency across workdir/index/both applications.

771bd81e

2018-06-29T12:40:16

apply tests: ensure apply failures leave index unmodified

5b66b667

2018-06-29T12:39:41

apply: when preimage file is missing, return EAPPLYFAIL The preimage file being missing entirely is simply a case of an application failure; return the correct error value for the caller.

9db66c79

2018-06-29T12:50:38

apply test: apply with non-conflicting changes Ensure that we can apply to the working directory or the index when the application target is modified, so long as there are not conflicting changes to the items.

e0224121

2018-06-29T12:09:02

apply: simplify checkout vs index application Separate the concerns of applying via checkout and updating the repository's index. This results in simpler functionality and allows us to not build the temporary collection of paths in the index case.

d7090ee4

2018-06-28T17:26:24

apply tests: ensure we can add and remove files from the index Add a test that adds a new file, and another that removes a file when applying using `GIT_APPLY_LOCATION_INDEX` to ensure that they work.

553395dc

2018-06-25T20:21:01

apply: test that the index is not modified Ensure that by default, when using GIT_APPLY_LOCATION_WORKDIR, that patch application does not update the index, only the working directory.

0eb63b9f

2018-06-25T19:50:35

apply tests: separate common patch hunks Move the commonly-used patch hunks into a single constant location. This allows us to avoid re-declaring them in each test, and allows us to compose them to build a larger patch file that includes all the hunks.

20f8a6db

2018-06-28T17:26:21

apply: remove deleted paths from index We update the index with the new_file side of the delta, but we need to explicitly remove the old_file path in the case where an item was deleted or renamed.

702d4bec

2018-06-26T15:26:37

apply tests: use `git_iterator_foreach` for tests Use the new `git_iterator_foreach` API to validate the workdir against the expected workdir values instead of using the paired/multi iterator comparison callback. This allows us to use the `git_iterator_foreach` to validate the index as well, instead of assuming that the index and HEAD must always match.

d54aa9ae

2018-06-26T15:25:30

iterator: introduce `git_iterator_foreach` Introduce a `git_iterator_foreach` helper function which invokes a callback on all files for a given iterator.

9d81defa

2018-06-28T16:26:08

apply tests: GIT_APPLY_LOCATION_INDEX with parsed patches

9c34c996

2018-06-25T17:03:14

apply: handle file additions Don't attempt to read the postimage file during a file addition, simply use an empty buffer as the postimage. Also, test that we can handle file additions.

3b5378c5

2018-06-25T16:27:06

apply: handle file deletions If the file was deleted in the postimage, do not attempt to update the target. Instead, ignore it and simply allow it to stay removed in our computed postimage. Also, test that we can handle file deletions.

eef34e4e

2018-06-28T16:24:21

apply tests: GIT_APPLY_LOCATION_INDEX with generated patches Test a simple patch application with `GIT_APPLY_LOCATION_INDEX`, which emulates `git apply --cached`.

af3287f8

2018-06-22T19:27:19

apply: test `git_apply` with a parsed patch Ensure that we can apply a simple patch to the working directory when we have parsed it from a patch file.

ff296b71

2018-03-19T19:50:52

apply: test `git_apply` application to a workdir Introduce a standard test applying a diff to a working directory with no complications.

c010c93b

2018-06-27T16:50:07

apply tests: move helpers into common area

f83bbe0a

2018-03-19T19:50:45

apply: introduce `git_apply` Introduce `git_apply`, which will take a `git_diff` and apply it to the working directory (akin to `git apply`), the index (akin to `git apply --cached`), or both (akin to `git apply --index`).

664cda6f

2018-03-19T20:10:38

apply: reimplement `git_apply_tree` with readers The generic `git_reader` interface simplifies `git_apply_tree` somewhat. Reimplement `git_apply_tree` with them.

35d525b0

2018-06-26T09:19:12

apply: test that failures don't dirty workdir Ensure that when a patch application fails (due to a conflict in the working directory, for example) that we do not half-apply the patch or otherwise leave the working directory dirty. This is rather obvious in our current apply implementation (we do a two step process: one to create the post-image and one to check it out) but this test is a safety net for future refactoring or improvements.

d73043a2

2018-03-19T20:10:31

reader: a generic way to read files from repos Similar to the `git_iterator` interface, the `git_reader` interface will allow us to read file contents from an arbitrary repository-backed data source (trees, index, or working directory).

2bd3cfea

2018-06-29T11:43:55

apply tests: modified wd items are ok when applying to index When applying to the index (using `GIT_APPLY_LOCATION_INDEX`), ensure that items modified in the working directory do not conflict with the application.

c3077ea0

2018-06-25T21:24:49

apply: return a specific exit code on failure Return `GIT_EAPPLYFAIL` on patch application failure so that users can determine that patch application failed due to a malformed/conflicting patch by looking at the error code.

973bf0c8

2018-06-25T20:49:22

apply: test a patch can be applied even with a modified index Ensure that we can apply a patch to the working directory, even to files that are modified in the index (as long as the working directory contents match the preimage - such that the working directory is unmodified from HEAD).

02b1083a

2018-01-28T23:25:07

apply: introduce `git_apply_tree` Introduce `git_apply_tree`, which will apply a `git_diff` to a given `git_tree`, allowing an in-memory patch application for a repository.

2b12dcf6

2018-03-19T19:45:11

iterator: optionally hash filesystem iterators Optionally hash the contents of files encountered in the filesystem or working directory iterators. This is not expected to be used in production code paths, but may allow us to simplify some test contexts. For working directory iterators, apply filters as appropriate, since we have the context able to do it.

b5ae83bf

2018-10-31T08:47:10

Merge pull request #4860 from tiennou/ci/macos-leaks CI: Fix macOS leak detection

8c49b3bf

2018-10-30T22:32:57

tests: use CLAR_AT_EXIT to check for leaks on macOS

0e69485e

2018-10-23T20:34:47

clar: provide a way to run some shell before exiting

79558009

2018-10-26T15:40:16

Merge pull request #4800 from libgit2/ethomson/badgification README: more CI status badges

b7174dde

2018-10-26T14:59:50

Merge pull request #4867 from libgit2/ethomson/ci ci: Fix some minor issues

f195c385

2018-10-26T14:10:13

nightly: the path to yaml templates is relative Don't prefix the path to the yaml templates - the nightly template itself is already in the `azure-pipelines` directory. Instead, just use the relative path.

f22521ef

2018-10-26T12:31:39

ci: fail if requested test name is not found (unix) POSIX: the CMakeLists.txt configures the test names; when we query ctest for the test command-line to run, fail if the tests are not found.

05c51bb6

2018-10-26T06:35:57

ci: fail if requested test name is not found (win32) Win32: The CMakeLists.txt configures the test names; when we query ctest for the test command-line to run, fail if the tests are not found.

623647af

2018-10-26T12:33:59

Merge pull request #4864 from pks-t/pks/object-parse-fixes Object parse fixes

814389d4

2018-10-25T23:40:19

Merge pull request #4862 from libgit2/ethomson/win_ci Windows CI: fail build on test failure

cd248c70

2018-10-25T23:25:09

Merge pull request #4863 from libgit2/ethomson/ci_nightly ci: run all the jobs during nightly builds

be5a2ae2

2018-10-25T23:19:42

ci: run all the jobs during nightly builds Instead of running the oddball builds, run all the builds (the ones that we always run during PR validation and CI) during a nightly build for increased coverage.

0e26717a

2018-10-25T14:26:28

ci: fail on test failures PowerShell can _read_ top-level variables in functions, but cannot _update_ top-level variables in functions unless they're explicitly prefixed with `$global`.

7655b2d8

2018-10-19T10:29:19

commit: fix reading out of bounds when parsing encoding The commit message encoding is currently being parsed by the `git__prefixcmp` function. As this function does not accept a buffer length, it will happily skip over a buffer's end if it is not `NUL` terminated. Fix the issue by using `git__prefixncmp` instead. Add a test that verifies that we are unable to parse the encoding field if it's cut off by the supplied buffer length.

c2e3d8ef

2018-10-25T12:01:18

tests: add tests that exercise commit parsing We currently do not have any test suites dedicated to parsing commits from their raw representations. Add one based on `git_object__from_raw` to be able to test special cases more easily.

ee11d47e

2018-10-19T09:47:50

tag: fix out of bounds read when searching for tag message When parsing tags, we skip all unknown fields that appear before the tag message. This skipping is done by using a plain `strstr(buffer, "\n\n")` to search for the two newlines that separate tag fields from tag message. As it is not possible to supply a buffer length to `strstr`, this call may skip over the buffer's end and thus result in an out of bounds read. As `strstr` may return a pointer that is out of bounds, the following computation of `buffer_end - buffer` will overflow and result in an allocation of an invalid length. Fix the issue by using `git__memmem` instead. Add a test that verifies parsing the tag fails not due to the allocation failure but due to the tag having no message.

4c738e56

2018-10-19T09:44:14

tests: add tests that exercise tag parsing While the tests in object::tag::read exercises reading and parsing valid tags from the ODB, they barely try to verify that the parser fails in a sane way when parsing invalid tags. Create a new test suite object::tag::parse that directly exercise the parser by using `git_object__from_raw` and add various tests for valid and invalid tags.

83e8a6b3

2018-10-18T16:08:46

util: provide `git__memmem` function Unfortunately, neither the `memmem` nor the `strnstr` functions are part of any C standard but are merely extensions of C that are implemented by e.g. glibc. Thus, there is no standardized way to search for a string in a block of memory with a limited size, and using `strstr` is to be considered unsafe in case where the buffer has not been sanitized. In fact, there are some uses of `strstr` in exactly that unsafe way in our codebase. Provide a new function `git__memmem` that implements the `memmem` semantics. That is in a given haystack of `n` bytes, search for the occurrence of a byte sequence of `m` bytes and return a pointer to the first occurrence. The implementation chosen is the "Not So Naive" algorithm from [1]. It was chosen as the implementation is comparably simple while still being reasonably efficient in most cases. Preprocessing happens in constant time and space, searching has a time complexity of O(n*m) with a slightly sub-linear average case. [1]: http://www-igm.univ-mlv.fr/~lecroq/string/

bea65980

2018-10-25T11:21:14

Merge pull request #4851 from pks-t/pks/strtol-removal strtol removal

11945461

2018-10-25T11:17:52

Merge pull request #4854 from libgit2/ethomson/buf_oom_test buf::oom tests: use custom allocator for oom failures

fa274f7f

2018-10-23T22:34:45

ci: redirect the malloc debugging output to /dev/null

2e34efaa

2018-10-21T13:10:06

buf::oom tests: use custom allocator for oom failures Create a custom allocator for the `buf::oom` tests that will fail with out-of-memory errors in predictable ways. We were previously trying to guess the way that various allocators on various platforms would fail in a way such that `malloc`/`realloc` would return `NULL` (instead of aborting the application, or appearing suspicious to various instrumentation or static code analysis tools like valgrind.) Introduce a fake `malloc` and `realloc` that will return `NULL` on allocations requesting more than 100 bytes. Otherwise, we proxy to the default allocator. (It's important to use the _default_ allocator, not just call `malloc`, since the default allocator on Windows CI builds may be the debugging C runtime allocators which would not be compatible with a standard `malloc`.)

305e801a

2018-10-21T09:52:32

util: allow callers to reset custom allocators Provide a utility to reset custom allocators back to their default. This is particularly useful for testing.

671b2446

2018-10-21T12:50:46

Merge pull request #4804 from libgit2/ethomson/qemu-build ci: arm docker builds

7c557169

2018-10-21T10:34:38

ci: use trusty-amd64 for openssl and mbedtls We don't need two separate docker images for OpenSSL and mbedTLS. They've been combined into a single image `trusty-amd64` that supports both.

415a8ae9

2018-09-13T13:27:07

tests: don't run buf::oom on 32-bit systems On a 32-bit Linux systems, the value large enough to make malloc guarantee a failure is also large enough that valgrind considers it "fishy". Skip this test on those systems entirely.

9cc4ba5c

2018-09-13T16:12:41

valgrind: extend the suppressions file Newer dependencies means newer places to leak!

d82800e8

2018-10-21T09:31:42

ci: use bionic for non-amd64 builds Use Bionic so that we have a modern libssh2 (for communicating with GitHub). We've ported fixes to our Trusty-based amd64 images, but maintaining patches for multiple platforms is heinous.

b244ea79

2018-10-21T09:24:08

ci: introduce nightly x86 linux builds

f195395a

2018-10-21T09:16:35

ci: bind specifically to localhost for proxy Bind the proxy specifically to 127.0.0.1 instead of all addresses. This is not strictly necessary for operations, but having a potentially open proxy on a network is not a good idea.

0e521abd

2018-10-21T09:15:24

ci: introduce nightly arm docker builds Use multiarch arm32 and arm64 docker images to run Xenial-based images for those platforms. We can support all the tests on ARM32 and 64 _except_ the proxy-based tests. Our proxy on ARM seems regrettably unstable, either due to some shoddy dependencies (with native code?) or the JREs themselves. Run these platforms as part of our nightly builds; do not run them during pull request or CI validation.

28f05585

2018-10-21T09:20:10

ci: reorganize naming for consistency

4ec597dc

2018-10-21T09:12:43

ci: move configuration yaml to its own directory As the number of each grow, separate the CI build scripts from the YAML definitions.

7c791f3d

2018-10-20T20:25:51

Merge pull request #4852 from libgit2/ethomson/unc_paths Win32 path canonicalization refactoring

6cc14ae3

2018-10-20T20:22:04

Merge pull request #4840 from libgit2/cmn/validity-tree-from-unowned-index Check object existence when creating a tree from an index

a2f9f94b

2018-10-20T20:18:04

Merge branch 'issue-4203'

32b81661

2018-10-20T20:16:32

merge: don't leak the index during reloads

c79e6081

2018-10-20T19:08:16

checkout: fix test fixture missing objects The testrepo test fixture has an index file that's damaged, missing an object. The index previously had an entry of `src/index.c` with id 3161df8cbf3a006b4ef85be6497a0ea6bde98541, but that object was missing in the repository. This commit adds an object to the repository and updates the index to use that existing blob. Similarly, the index has an entry for `readme` with an id of 97328ac7e3bd0bcd3900cb3e7a624d71dd0df888. This can be restored from other test repositories. With these fixed, now the write tree from index tests can pass since they validate object existence.

2ad07ad5

2018-10-20T18:14:25

Merge pull request #4841 from tiennou/ci/ninja-build Ninja build

f77e6cc7

2018-10-19T17:10:01

ci: make the Ubuntu/OpenSSL build explicit

6a67e42d

2018-10-08T19:33:27

ci: use Ninja on macOS

0fccf017

2018-10-19T15:48:46

Merge pull request #4853 from libgit2/cmn/not-opaque docs: fix transparent/opaque confusion in the conventions file

69cd4141

2018-10-19T16:30:43

docs: fix transparent/opaque confusion in the conventions file

0a4284b1

2018-10-19T14:54:13

Merge pull request #4819 from libgit2/cmn/config-nonewline Configuration variables can appear on the same line as the section header

ea19efc1

2018-10-18T15:08:56

util: fix out of bounds read in error message When an integer that is parsed with `git__strntol32` is too big to fit into an int32, we will generate an error message that includes the actual string that failed to parse. This does not acknowledge the fact that the string may either not be NUL terminated or alternative include additional characters after the number that is to be parsed. We may thus end up printing characters into the buffer that aren't the number or, worse, read out of bounds. Fix the issue by utilizing the `endptr` that was set by `git__strntol64`. This pointer is guaranteed to be set to the first character following the number, and we can thus use it to compute the width of the number that shall be printed. Create a test to verify that we correctly truncate the number.

a34f5b0d

2018-10-18T08:57:27

win32: refactor `git_win32_path_remove_namespace` Update `git_win32_path_remove_namespace` to disambiguate the prefix being removed versus the prefix being added. Now we remove the "namespace", and (may) add a "prefix" in its place. Eg, we remove the `\\?\` namespace. We remove the `\\?\UNC\` namespace, and replace it with the `\\` prefix. This aids readability somewhat. Additionally, use pointer arithmetic instead of offsets, which seems to also help readability.

16fd9ba9

2018-10-17T11:34:38

win32: more tests for `git_win32_remove_path`

b2e85f98

2018-10-17T08:48:43

win32: rename `git_win32__canonicalize_path` The internal API `git_win32__canonicalize_path` is far, far too easily confused with the internal API `git_win32_path_canonicalize`. The former removes the namespace prefix from a path (eg, given `\\?\C:\Temp\foo`, it returns `C:\Temp\foo`, and given `\\?\UNC\server\share`, it returns `\\server\share`). As such, rename it to `git_win32_path_remove_namespace`. `git_win32_path_canonicalize` remains unchanged.

b09c1c7b

2018-10-18T14:37:55

util: avoid signed integer overflows in `git__strntol64` While `git__strntol64` tries to detect integer overflows when doing the necessary arithmetics to come up with the final result, it does the detection only after the fact. This check thus relies on undefined behavior of signed integer overflows. Fix this by instead checking up-front whether the multiplications or additions will overflow. Note that a detected overflow will not cause us to abort parsing the current sequence of digits. In the case of an overflow, previous behavior was to still set up the end pointer correctly to point to the first character immediately after the currently parsed number. We do not want to change this now as code may rely on the end pointer being set up correctly even if the parsed number is too big to be represented as 64 bit integer.

39087ab8

2018-10-18T12:11:33

tests: core::strtol: test for some more edge-cases Some edge cases were currently completely untested, e.g. parsing numbers greater than INT64_{MIN,MAX}, truncating buffers by length and invalid characters. Add tests to verify that the system under test performs as expected.

8d7fa88a

2018-10-18T12:04:07

util: remove `git__strtol32` The function `git__strtol32` can easily be misused when untrusted data is passed to it that may not have been sanitized with trailing `NUL` bytes. As all usages of this function have now been removed, we can remove this function altogether to avoid future misuse of it.

2613fbb2

2018-10-18T11:58:14

global: replace remaining use of `git__strtol32` Replace remaining uses of the `git__strtol32` function. While these uses are all safe as the strings were either sanitized or from a trusted source, we want to remove `git__strtol32` altogether to avoid future misuse.

21652ee9

2018-10-18T11:43:30

tree-cache: avoid out-of-bound reads when parsing trees We use the `git__strtol32` function to parse the child and entry count of treecaches from the index, which do not accept a buffer length. As the buffer that is being passed in is untrusted data and may thus be malformed and may not contain a terminating `NUL` byte, we can overrun the buffer and thus perform an out-of-bounds read. Fix the issue by uzing `git__strntol32` instead.

68deb2cc

2018-10-18T11:37:10

util: remove unsafe `git__strtol64` function The function `git__strtol64` does not take a maximum buffer length as parameter. This has led to some unsafe usages of this function, and as such we may consider it as being unsafe to use. As we have now eradicated all usages of this function, let's remove it completely to avoid future misuse.

1a2efd10

2018-10-18T11:35:08

config: remove last instance of `git__strntol64` When parsing integers from configuration values, we use `git__strtol64`. This is fine to do, as we always sanitize values and can thus be sure that they'll have a terminating `NUL` byte. But as this is the last call-site of `git__strtol64`, let's just pass in the length explicitly by calling `strlen` on the value to be able to remove `git__strtol64` altogether.

3db9aa6f

2018-10-18T11:32:48

signature: avoid out-of-bounds reads when parsing signature dates We use `git__strtol64` and `git__strtol32` to parse the trailing commit or author date and timezone of signatures. As signatures are usually part of a commit or tag object and thus essentially untrusted data, the buffer may be misformatted and may not be `NUL` terminated. This may lead to an out-of-bounds read. Fix the issue by using `git__strntol64` and `git__strntol32` instead.

600ceadd

2018-10-18T11:29:06

index: avoid out-of-bounds read when reading reuc entry stage We use `git__strtol64` to parse file modes of the index entries, which does not limit the parsed buffer length. As the index can be essentially treated as "untrusted" in that the data stems from the file system, it may be misformatted and may not contain terminating `NUL` bytes. This may lead to out-of-bounds reads when trying to parse index entries with such malformatted modes. Fix the issue by using `git__strntol64` instead.

1a3fa1f5

2018-10-18T11:25:59

commit_list: avoid use of strtol64 without length limit When quick-parsing a commit, we use `git__strtol64` to parse the commit's time. The buffer that's passed to `commit_quick_parse` is the raw data of an ODB object, though, whose data may not be properly formatted and also does not have to be `NUL` terminated. This may lead to out-of-bound reads. Use `git__strntol64` to avoid this problem.

f010b66b

2018-10-17T14:33:47

Merge pull request #4849 from libgit2/cmn/expose-gitfile-check path: export the dotgit-checking functions

5be63f6d

2018-10-17T10:01:22

Merge pull request #4850 from libgit2/ethomson/libssh2_not_libssh cmake: correct comment from libssh to libssh2

b160a64f

2018-10-17T09:38:30

cmake: correct comment from libssh to libssh2 We use libssh2. We do not use libssh. Make sure to disambiguate them correctly.

7615794c

2018-10-15T18:08:13

Merge pull request #4845 from pks-t/pks/object-fuzzer Object parsing fuzzer

9b6e4081

2018-10-15T17:08:38

Merge commit 'afd10f0' (Follow 308 redirects)

05e54e00

2018-10-15T13:54:17

path: export the dotgit-checking functions These checks are preformed by libgit2 on checkout, but they're also useful for performing checks in applications which do not involve checkout. Expose them under `sys/` as it's still fairly in the weeds even for this library.

1d718fa5

2018-09-28T11:55:34

config: variables might appear on the same line as a section header While rare and a machine would typically not generate such a configuration file, it is nevertheless valid to write [foo "bar"] baz = true and we need to deal with that instead of assuming everything is on its own line.

1cbc9604

2018-09-28T10:57:50

config: add failing test for no newline after section header

afd10f0b

2018-10-13T09:31:20

Follow 308 redirects (as used by GitLab)

814e7acb

2018-10-12T12:38:06

Merge pull request #4842 from nelhage/fuzz-config-memory config: Port config_file_fuzzer to the new in-memory backend.

463c21e2

2018-10-11T13:27:06

Apply code review feedback

a1d5fd06

2018-10-11T12:46:11

fuzzers: add object parsing fuzzer Add a simple fuzzer that exercises our object parser code. The fuzzer is quite trivial in that it simply passes the input data directly to `git_object__from_raw` for each of the four object types.

6562cdda

2018-10-11T12:43:08

object: properly propagate errors on parsing failures When failing to parse a raw object fromits data, we free the partially parsed object but then fail to propagate the error to the caller. This may lead callers to operate on objects with invalid memory, which will sooner or later cause the program to segfault. Fix the issue by passing up the error code returned by `parse_raw`.

6956a954

2018-10-11T12:26:44

fuzzers: initialize libgit2 in standalone driver The standalone driver for libgit2's fuzzing targets makes use of functions from libgit2 itself. While this is totally fine to do, we need to make sure to always have libgit2 initialized via `git_libgit2_init` before we call out to any of these. While this happens in most cases as we call `LLVMFuzzerInitialize`, which is provided by our fuzzers and which right now always calls `git_libgit2_init`, one exception to this rule is our error path when not enough arguments have been given. In this case, we will call `git_vector_free_deep` without libgit2 having been initialized. As we did not set up our allocation functions in that case, this will lead to a segmentation fault. Fix the issue by always initializing and shutting down libgit2 in the standalone driver. Note that we cannot let this replace the initialization in `LLVMFuzzerInitialize`, as it is required when using the "real" fuzzers by LLVM without our standalone driver. It's no problem to call the initialization and deinitialization functions multiple times, though.

thodg/libgit2

Log