src


Log

Author Commit Date CI Message
Patrick Steinhardt 0ceac0d0 2019-01-23T14:45:19 mbedtls: fix potential size overflow when reading or writing data The mbedtls library uses a callback mechanism to allow downstream users to plug in their own receive and send functions. We implement `bio_read` and `bio_write` functions, which simply wrap the `git_stream_read` and `git_stream_write` functions, respectively. The problem arises due to the return value of the callback functions: mbedtls expects us to return an `int` containing the actual number of bytes that were read or written. But this is in fact completely misdesigned, as callers are allowed to pass in a buffer with length `SIZE_MAX`. We thus may be unable to represent the number of bytes written via the return value. Fix this by only ever reading or writing at most `INT_MAX` bytes.
Patrick Steinhardt 75918aba 2019-01-23T14:43:54 mbedtls: make global variables static The mbedtls stream implementation makes use of some global variables which are not marked as `static`, even though they're only used in this compilation unit. Fix this and remove a duplicate declaration.
Patrick Steinhardt 657197e6 2019-01-23T15:54:05 openssl: fix potential size overflow when writing data Our `openssl_write` function calls `SSL_write` by passing in both `data` and `len` arguments directly. Thing is, our `len` parameter is of type `size_t` and theirs is of type `int`. We thus need to clamp our length to be at most `INT_MAX`.
Patrick Steinhardt 7613086d 2019-01-23T15:49:28 streams: handle short writes only in generic stream Now that the function `git_stream__write_full` exists and callers of `git_stream_write` have been adjusted, we can lift logic for short writes out of the stream implementations. Instead, this is now handled either by `git_stream__write_full` or by callers of `git_stream_write` directly.
Patrick Steinhardt 5265b31c 2019-01-23T15:00:20 streams: fix callers potentially only writing partial data Similar to the write(3) function, implementations of `git_stream_write` do not guarantee that all bytes are written. Instead, they return the number of bytes that actually have been written, which may be smaller than the total number of bytes. Furthermore, due to an interface design issue, we cannot ever write more than `SSIZE_MAX` bytes at once, as otherwise we cannot represent the number of bytes written to the caller. Unfortunately, no caller of `git_stream_write` ever checks the return value, except to verify that no error occurred. Due to this, they are susceptible to the case where only partial data has been written. Fix this by introducing a new function `git_stream__write_full`. In contrast to `git_stream_write`, it will always return either success or failure, without returning the number of bytes written. Thus, it is able to write all `SIZE_MAX` bytes and loop around `git_stream_write` until all data has been written. Adjust all callers except the BIO callbacks in our mbedtls and OpenSSL streams, which already do the right thing and require the amount of bytes written.
Patrick Steinhardt 193e7ce9 2019-01-23T15:42:07 streams: make file-local functions static The callback functions that implement the `git_stream` structure are only used inside of their respective implementation files, but they are not marked as `static`. Fix this.
Edward Thomson ae681d3f 2019-01-21T00:49:07 apply: make update_hunk accept a size_t
Edward Thomson fac08837 2019-01-21T11:38:46 filter: return an int Validate that the return value of the read is not less than INT_MAX, then cast.
Edward Thomson 89bd4ddb 2019-01-21T11:32:53 diff_generate: validate oid file size Index entries are 32 bit unsigned ints, not `size_t`s.
Edward Thomson fd9d4e28 2019-01-21T11:29:16 describe: don't mix and match abbreviated size types The git_describe_format_options.abbreviated_size type is an unsigned int. There's no need for it to be anything else; keep it what it is.
Edward Thomson 751eb462 2019-01-21T11:20:18 delta: validate sizes and cast safely Quiet down a warning from MSVC about how we're potentially losing data. Validate that our data will fit into the type provided then cast.
Edward Thomson 4947216f 2019-01-21T11:11:27 git transport: only write INT_MAX bytes The transport code returns an `int` with the number of bytes written; thus only attempt to write at most `INT_MAX`.
Edward Thomson a861839d 2019-01-21T10:55:59 windows: add SSIZE_MAX Windows doesn't include ssize_t or its _MAX value by default. We are already declaring ssize_t as SSIZE_T, which is __int64_t on Win64 and long otherwise. Include its _MAX value as a correspondence to its type.
Edward Thomson f1986a23 2019-01-21T09:56:23 streams: don't write more than SSIZE_MAX Our streams implementation takes a `size_t` that indicates the length of the data buffer to be written, and returns an `ssize_t` that indicates the length that _was_ written. Clearly no such implementation can write more than `SSIZE_MAX` bytes. Ensure that each TLS stream implementation does not try to write more than `SSIZE_MAX` bytes (or smaller; if the given implementation takes a smaller size).
Edward Thomson e5e2fac8 2019-01-21T00:57:39 buffer: explicitly cast Quiet down a warning from MSVC about how we're potentially losing data. This is safe since we've explicitly tested it.
Edward Thomson f4ebb2d4 2019-01-21T00:56:35 blame: make hunk_cmp handle unsigned differences
Edward Thomson 1d4ddb8e 2019-01-20T23:42:08 iterator: cast filesystem iterator entry values explicitly The filesystem iterator takes `stat` data from disk and puts them into index entries, which use 32 bit ints for time (the seconds portion) and filesize. However, on most systems these are not 32 bit, thus will typically invoke a warning. Most users ignore these fields entirely. Diff and checkout code do use the values, however only for the cache to determine if they should check file modification. Thus, this is not a critical error (and will cause a hash recomputation at worst).
Edward Thomson c6cac733 2019-01-20T22:40:38 blob: validate that blob sizes fit in a size_t Our blob size is a `git_off_t`, which is a signed 64 bit int. This may be erroneously negative or larger than `SIZE_MAX`. Ensure that the blob size fits into a `size_t` before casting.
Edward Thomson 3aa6d96a 2019-01-20T20:38:25 tree: cast filename length in git_tree__parse_raw Quiet down a warning from MSVC about how we're potentially losing data. Ensure that we're within a uint16_t before we do.
Edward Thomson 759502ed 2019-01-20T20:30:42 odb_loose: explicitly cast to size_t Quiet down a warning from MSVC about how we're potentially losing data. This is safe since we've explicitly tested that it's positive and less than SIZE_MAX.
Edward Thomson 80c3867b 2019-01-20T19:20:12 patch: explicitly cast down in parse_header_percent Quiet down a warning from MSVC about how we're potentially losing data. This is safe since we've explicitly tested that it's within the range of 0-100.
Edward Thomson 494448a5 2019-01-20T19:10:08 index: explicitly cast down to a size_t Quiet down a warning from MSVC about how we're potentially losing data. This cast is safe since we've explicitly tested that `strip_len` <= `last_len`.
Edward Thomson c3866fa8 2019-01-20T18:54:16 diff: explicitly cast in flush_hunk Quiet down a warning from MSVC about how we're potentially losing data.
Edward Thomson 826d9a4d 2019-01-25T09:43:20 Merge pull request #4858 from tiennou/fix/index-ext-read index: preserve extension parsing errors
Edward Thomson e09f0c10 2019-01-23T10:21:42 deprecation: don't use deprecated stream cb Avoid the deprecated `git_stream_cb` typedef since we want to compile the library without deprecated functions or types. Instead, we can unroll the alias to its actual type.
Sven Strickroth bff7aed2 2019-01-24T16:44:04 Don't use deprecated constants Follow up for PR #4917. Signed-off-by: Sven Strickroth <email@cs-ware.de>
Etienne Samson 0bf7e043 2019-01-24T12:12:04 index: preserve extension parsing errors Previously, we would clobber any extension-specific error message with an "extension is truncated" message. This makes `read_extension` correctly preserve those errors, takes responsibility for truncation errors, and adds a new message with the actual extension signature for unsupported mandatory extensions.
Sven Strickroth 53bf0bde 2019-01-24T11:29:36 Fix VS warning C4098: 'giterr_set_str' : void function returning a value Signed-off-by: Sven Strickroth <email@cs-ware.de>
Edward Thomson f673e232 2018-12-27T13:47:34 git_error: use new names in internal APIs and usage Move to the `git_error` name in the internal API for error-related functions.
Edward Thomson 647dfdb4 2019-01-10T22:13:07 git_error: deprecate error values Replace the `GITERR` values with a `const int` to deprecate error values.
Edward Thomson 20961b98 2018-12-26T14:06:21 git_error: use full class name in public error API Move to the `git_error` name in error-related functions, deprecating the `giterr` functions. This means, for example, that `giterr_last` is now `git_error_last`. The old names are retained for compatibility. This only updates the public API; internal API and function usage remains unchanged.
Marijan Šuflaj f7416509 2019-01-20T20:15:31 Fix odb foreach to also close on positive error code In include/git2/odb.h it states that callback can also return positive value which should break looping. Implementations of git_odb_foreach() and pack_backend__foreach() did not respect that.
Edward Thomson b8b796c1 2019-01-20T18:09:43 repository: free memory in symlink detection function
Edward Thomson 86b522bd 2019-01-20T14:27:57 Merge pull request #4945 from libgit2/ethomson/fix-intrinsics Add/multiply with overflow tweaks
Edward Thomson 75444d97 2019-01-20T13:52:46 add with overflow: correct documentation Correct the documentation on the fallback add/multiply with overflow functions.
Edward Thomson abbc07f1 2019-01-20T13:51:15 add with overflow: use SizeTAdd on Windows Windows provides <intsafe.h> which provides "performant" add and multiply with overflow operations. Use them when possible.
Edward Thomson c6d47acf 2019-01-20T13:04:10 Remove unused git__add_uint64_overflow
Edward Thomson f04f1c7e 2019-01-20T13:00:53 add with overflow intrinsics: simplify tests Use the smallest unsigned type that is equivalent to `size_t` to simplify the conditionals. Error if we're on a system that we believe offers builtins but we cannot determine which one to use.
Edward Thomson 1758636b 2019-01-19T01:38:34 Merge pull request #4939 from libgit2/ethomson/git_ref Move `git_ref_t` to `git_reference_t`
Edward Thomson b2c2dc64 2019-01-19T01:36:40 Merge pull request #4940 from libgit2/ethomson/git_obj More `git_obj` to `git_object` updates
Edward Thomson abe23675 2019-01-17T20:09:05 Merge pull request #4925 from lhchavez/fix-a-bunch-of-warnings Fix a bunch of warnings
Edward Thomson 83151018 2019-01-17T10:47:32 object_type: convert final internal users to new names Update some missed types that were continuing to use the old `GIT_OBJ` names.
Edward Thomson cd350852 2019-01-17T10:40:13 object_type: GIT_OBJECT_BAD is now GIT_OBJECT_INVALID We use the term "invalid" to refer to bad or malformed data, eg `GIT_REF_INVALID` and `GIT_EINVALIDSPEC`. Since we're changing the names of the `git_object_t`s in this release, update it to be `GIT_OBJECT_INVALID` instead of `BAD`.
Edward Thomson ed8cfbf0 2019-01-17T00:32:31 references: use new names in internal usage Update internal usage to use the `git_reference` names for constants.
Jason Haslam 35d86c77 2019-01-14T10:14:36 proxy: fix crash on remote connection with GIT_PROXY_AUTO but no proxy is detected
lhchavez 2848923a 2019-01-08T17:32:23 Let GCC use the add/mul overflow intrinsics This change tweaks the macros for git__{add,multiply}_sizet_overflow so that GCC can use them. It also stops using the uadd,umul versions since the add,mul can handle way more cases.
lhchavez c6bfaf14 2019-01-09T06:58:40 Explanation for the rationale behind splitting formatting
Edward Thomson 1305cd4e 2019-01-09T09:55:26 Merge pull request #4926 from csware/warning-c4133 Fix warning 'function': incompatible types - from 'git_cvar_value *' to 'int *' (C4133) on VS
lhchavez 728101e3 2019-01-08T17:35:16 Move the intrinsics part of the change to its own PR Less controversial changes together is better.
lhchavez 8b599528 2019-01-08T17:26:14 Fix Linux warnings This change fixes -Wmaybe-uninitialized and -Wdeprecated-declarations warnings on Linux builds
Sven Strickroth 45001906 2019-01-07T16:14:51 Fix warning 'function': incompatible types - from 'git_cvar_value *' to 'int *' (C4133) on VS Signed-off-by: Sven Strickroth <email@cs-ware.de>
lhchavez 321d19c1 2019-01-06T08:36:06 Windows is hard.
lhchavez b5e8272f 2019-01-06T08:29:56 Attempt at fixing the MingW64 compilation It seems like MingW64's size_t is defined differently than in Linux.
lhchavez 7b453e7e 2019-01-05T22:12:48 Fix a bunch of warnings This change fixes a bunch of warnings that were discovered by compiling with `clang -target=i386-pc-linux-gnu`. It turned out that the intrinsics were not necessarily being used in all platforms! Especially in GCC, since it does not support __has_builtin. Some more warnings were gleaned from the Windows build, but I stopped when I saw that some third-party dependencies (e.g. zlib) have warnings of their own, so we might never be able to enable -Werror there.
Etienne Samson d9eae98b 2018-10-24T01:30:12 refs: assert that we're passed valid refs when renaming CID 1382962
Etienne Samson 0a8745f2 2018-10-24T01:26:48 diff: assert that we're passed a valid git_diff object CID 1386176, 1386177, 1388219
Etienne Samson 9c23552c 2018-10-24T01:21:21 submodule: grab the error while loading from config Previously, an error in `git_config_next` would be mistaken as a successful load, because the previous call would have succeeded. Coverity saw the subsequent check for a completed iteration as dead, so let's make it useful again. CID 1391374
Etienne Samson 9f714dec 2018-08-17T18:51:56 config: assert that our parameters are valid CID 1395011
Edward Thomson fba70a9d 2019-01-03T12:02:06 Merge pull request #4919 from pks-t/pks/shutdown-cb-count Shutdown callback count
Edward Thomson 9084712b 2019-01-03T12:01:52 Merge pull request #4904 from libgit2/ethomson/crlf Update CRLF filtering to match modern git
Patrick Steinhardt b46c3594 2019-01-02T09:33:55 global: move init callbacks into an array We currently have an explicit callchain of all the initialization callbacks in our `init_common` function. This is perfectly fine, but requires us to manually keep track of how many shutdown callbacks there may be installed: to avoid allocations before libgit2 is fully initialized, we assume that every initializer may register at most one shutdown function. These shutdown functions are stored in a static array of size `MAX_SHUTDOWN_CB`, which then needs to be updated manually whenever a new initializer function is being added. The situation can be easily fixed: convert the callchain of init functions into an array and iterate over it to initialize all subsystems. This allows us to define the `git__shutdown_callbacks` array with the same size as the initializer array and rids us of the need to always update `MAX_SHUTDOWN_CB`.
Patrick Steinhardt 03dc6480 2019-01-02T09:27:44 hash: convert `global_init` macros to real function The `git_hash_global_init` function is simply defined as a macro to zero for most of the different hash implementations. This makes it impossible to treat it like a function pointer, which is required for a later commit where we want to improve the way global initialization works. Fix the issue by converting all no-op macros to an inline function returning zero. There's a small gotcha here, though: as most hash implementations only have a header file, but not a corresponding implementation file, we cannot declare the function as non-static. But declaring it as `static inline` fails, too, as there is a previous declaration as non-static. So we have to move the function declaration after the include that brings in the function definition, as it is allowed to have a non-static declaration after a static definition, but not the other way round.
Patrick Steinhardt 8dde7e11 2018-12-19T11:04:58 refdb_fs: refactor error handling in `refdb_reflog_fs__delete` The function `refdb_reflog_fs__delete` uses the `if (!error && foobar())` pattern of checking, where error conditions are being checked by following calls to different code. This does not match our current style, where the call-site of a function is usually directly responsible for checking the return value. Convert the function to use `if ((error = foobar()) < 0) goto out;` style. Note that this changes the code flow a bit: previously, we were always trying to delete empty reference hierarchies even if deleting the reflog entry has failed. This wasn't much of a problem -- if deletion failed, the hierarchy will still contain at least one file and thus the function call was an expensive no-op. Now, we will only perform this deletion if we have successfully removed the reflog.
Patrick Steinhardt bc219657 2018-12-19T11:01:55 Merge pull request #4833 from csware/drop-empty-dirs Remove empty (sub-)directories when deleting refs
Carlos Martín Nieto 6ea9381b 2018-12-14T14:43:09 annotated_commit: peel to commit instead of assuming we have one We want to allow the creation of annotated commits out of annotated tags and for that we have to peel the reference all the way to the commit instead of stopping at the first id it provides.
Carlos Martín Nieto 5bd78c48 2018-12-14T14:41:17 refs: constify git_reference_peel We have no need to take a non-const reference. This does involve some other work to make sure we don't mix const and non-const variables, but by splitting what we want each variable to do we can also simplify the logic for when we do want to free a new reference we might have allocated.
Edward Thomson da8138b0 2018-12-06T12:59:17 Merge pull request #4906 from QBobWatson/bugfix Fix segfault in loose_backend__readstream
Joe Rabinoff 2f3c4b69 2018-12-06T10:48:20 Typesetting conventions
Anders Borum f4835e44 2018-12-04T21:48:12 make proxy_stream_close close target stream even on errors When git_filter_apply_fn callback returns a error while smudging proxy_stream_close ends up returning without closing the stream. This is turn makes blob_content_to_file crash as it asserts the stream being closed whether there are errors or not. Closing the target stream on error fixes this problem.
Joe Rabinoff 08afdb57 2018-12-04T10:59:25 Removed one null check
Joe Rabinoff 36f80742 2018-12-04T10:12:24 Fix segfault in loose_backend__readstream If the routine exits with error before stream or hash_ctx is initialized, the program will segfault when trying to free them.
Edward Thomson ef8f8ec6 2018-12-03T13:35:30 crlf: update to match git's logic Examine the recent CRLF changes to git by Torsten Bögershausen and include similar changes to update our CRLF logic to match. Note: Torsten Bögershausen has previously agreed to allow his changes to be included in libgit2.
Edward Thomson 168fe39b 2018-11-28T14:26:57 object_type: use new enumeration names Use the new object_type enumeration names within the codebase.
Edward Thomson 18e71e6d 2018-11-28T13:31:06 index: use new enum and structure names Use the new-style index names throughout our own codebase.
Patrick Steinhardt 0ddc6094 2018-11-30T09:46:14 Merge pull request #4770 from tiennou/feature/merge-analysis-any-branch Allow merge analysis against any reference
Patrick Steinhardt e7873eb2 2018-11-29T08:00:31 Merge pull request #4888 from TheBB/add-cb revwalk: Allow changing hide_cb
Patrick Steinhardt 487233fa 2018-11-29T07:21:41 Merge pull request #4895 from pks-t/pks/unused-warnings Unused function warnings
Edward Thomson a904fc6d 2018-11-28T20:31:30 Merge pull request #4870 from libgit2/ethomson/proxy Add builtin proxy support for the http transport
Edward Thomson 30ac46aa 2018-11-28T10:12:43 http: reset replay_count upon connection Reset the replay_count upon a successful connection. It's possible that we could encounter a situation where we connect successfully but need to replay a request - for example, a connection and initial request succeeds without authentication but a subsequent call does require authentication. Reset the replay count upon any successful request to afford subsequent replays room to manuever.
Edward Thomson 02bb39f4 2018-11-22T08:49:09 stream registration: take an enum type Accept an enum (`git_stream_t`) during custom stream registration that indicates whether the registration structure should be used for standard (non-TLS) streams or TLS streams.
Edward Thomson 52478d7d 2018-11-18T19:54:49 http: don't allow SSL connections to a proxy Temporarily disallow SSL connections to a proxy until we can understand the valgrind warnings when tunneling OpenSSL over OpenSSL.
Edward Thomson 41f620d9 2018-11-18T19:10:50 http: only load proxy configuration during connection Only load the proxy configuration during connection; we need this data when we're going to connect to the server, however we may mutate it after connection (connecting through a CONNECT proxy means that we should send requests like normal). If we reload the proxy configuration but do not actually reconnect (because we're in a keep-alive session) then we will reload the proxy configuration that we should have mutated. Thus, only load the proxy configuration when we know that we're going to reconnect.
Edward Thomson df2cc108 2018-11-18T10:29:07 stream: provide generic registration API Update the new stream registration API to be `git_stream_register` which takes a registration structure and a TLS boolean. This allows callers to register non-TLS streams as well as TLS streams. Provide `git_stream_register_tls` that takes just the init callback for backward compatibliity.
Edward Thomson 0467606f 2018-11-18T11:00:11 http: disallow repeated headers from servers Don't allow servers to send us multiple Content-Type, Content-Length or Location headers.
Edward Thomson 21142c5a 2018-10-29T10:04:48 http: remove cURL We previously used cURL to support HTTP proxies. Now that we've added this support natively, we can remove the curl dependency.
Edward Thomson 2878ad08 2018-10-29T08:59:33 streams: remove unused tls functions The implementations of git_openssl_stream_new and git_mbedtls_stream_new have callers protected by #ifdefs and are never called unless compiled in. There's no need for a dummy implementation. Remove them.
Edward Thomson 5d4e1e04 2018-10-28T21:27:56 http: use CONNECT to talk to proxies Natively support HTTPS connections through proxies by speaking CONNECT to the proxy and then adding a TLS connection on top of the socket.
Edward Thomson 43b592ac 2018-10-25T08:49:01 tls: introduce a wrap function Introduce `git_tls_stream_wrap` which will take an existing `stream` with an already connected socket and begin speaking TLS on top of it. This is useful if you've built a connection to a proxy server and you wish to begin CONNECT over it to tunnel a TLS connection. Also update the pluggable TLS stream layer so that it can accept a registration structure that provides an `init` and `wrap` function, instead of a single initialization function.
Edward Thomson b2ed778a 2018-11-18T22:20:10 http transport: reset error message on cert failure Store the error message from the underlying TLS library before calling the certificate callback. If it refuses to act (demonstrated by returning GIT_PASSTHROUGH) then restore the error message. Otherwise, if the callback does not set an error message, set a sensible default that implicates the callback itself.
Edward Thomson 2ce2315c 2018-10-22T17:33:45 http transport: support cert check for proxies Refactor certificate checking so that it can easily be called for proxies or the remote server.
Edward Thomson 74c6e08e 2018-10-22T14:56:53 http transport: provide proxy credentials
Edward Thomson 496da38c 2018-10-22T12:48:45 http transport: refactor storage Create a simple data structure that contains information about the server being connected to, whether that's the actual remote endpoint (git server) or an intermediate proxy. This allows for organization of streams, authentication state, etc.
Edward Thomson 6af8572c 2018-10-22T11:29:01 http transport: cap number of authentication replays Put a limit on the number of authentication replays in the HTTP transport. Standardize on 7 replays for authentication or redirects, which matches the behavior of the WinHTTP transport.
Edward Thomson 22654812 2018-10-22T11:24:05 http transport: prompt for proxy credentials Teach the HTTP transport how to prompt for proxy credentials.
Edward Thomson 0328eef6 2018-10-22T11:14:06 http transport: further refactor credential handling Prepare credential handling to understand both git server and proxy server authentication.
Edward Thomson 32cb56ce 2018-10-22T10:16:54 http transport: refactor credential handling Factor credential handling into its own function. Additionally, add safety checks to ensure that we are in a valid state - that we have received a valid challenge from the server and that we have configuration to respond to that challenge.
Edward Thomson e6e399ab 2018-10-22T09:49:54 http transport: use HTTP proxies when requested The HTTP transport should understand how to apply proxies when configured with `GIT_PROXY_SPECIFIED` and `GIT_PROXY_SPECIFIED`. When a proxy is configured, the HTTP transport will now connect to the proxy (instead of directly to the git server), and will request the properly-formed URL of the git server endpoint.
Edward Thomson e6f1931a 2018-10-22T00:09:24 http: rename http subtransport's `io` to `gitserver_stream` Rename `http_subtransport->io` to `http_subtransport->gitserver_stream` to clarify its use, especially as we might have additional streams (eg for a proxy) in the future.
Edward Thomson c07ff4cb 2018-10-21T14:17:06 http: rename `connection_data` -> `gitserver_data` Rename the `connection_data` struct member to `gitserver_data`, to disambiguate future `connection_data`s that apply to the proxy, not the final server endpoint.
Edward Thomson ed72465e 2018-10-13T19:16:54 proxy: propagate proxy configuration errors