kmx git

Commit	Date	Message
a8d447f6	2018-10-05T20:13:34	Merge pull request #4837 from pks-t/cmn/reject-option-submodule-url-path submodule: ignore path and url attributes if they look like options
ce8803a2	2018-10-05T20:03:38	Merge pull request #4836 from pks-t/pks/smart-packets Smart packet security fixes
84d6f439	2018-10-05T19:53:22	Merge pull request #4832 from pks-t/pks/config-includes-null-deref config_file: properly ignore includes without "path" value
4e0bdaa8	2018-10-05T11:42:00	submodule: add failing test for option-injection protection in url and path
d06d4220	2018-10-05T10:56:02	config_file: properly ignore includes without "path" value In case a configuration includes a key "include.path=" without any value, the generated configuration entry will have its value set to `NULL`. This is unexpected by the logic handling includes, and as soon as we try to calculate the included path we will unconditionally dereference that `NULL` pointer and thus segfault. Fix the issue by returning early in both `parse_include` and `parse_conditional_include` in case where the `file` argument is `NULL`. Add a test to avoid future regression. The issue has been found by the oss-fuzz project, issue 10810.
bf662f7c	2018-10-05T10:55:29	tests: always unlink created config files While our tests in config::include create a plethora of configuration files, most of them do not get removed at the end of each test. This can cause weird interactions with tests that are being run at a later stage if these later tests try to create files or directories with the same name as any of the created configuration files. Fix the issue by unlinking all created files at the end of these tests.
dbb4a586	2018-10-05T10:27:33	tests: fix warning for implicit conversion of integer to pointer GCC warns by default when implicitly converting integers to pointers or the other way round, and commit fa48d2ea7 (vector: do not malloc 0-length vectors on dup, 2018-09-26) introduced such an implicit conversion into our vector tests. While this is totally fine in this test, as the pointer's value is never being used in the first place, we can trivially avoid the warning by instead just inserting a pointer for a variable allocated on the stack into the vector.
0b3dfbf4	2018-08-09T11:13:59	smart_pkt: reorder and rename parameters of `git_pkt_parse_line` The parameters of the `git_pkt_parse_line` function are quite confusing. First, there is no real indicator what the `out` parameter is actually all about, and it's not really clear what the `bufflen` parameter refers to. Reorder and rename the parameters to make this more obvious.
a9f1ca09	2018-08-09T11:01:00	smart_pkt: fix buffer overflow when parsing "ok" packets There are two different buffer overflows present when parsing "ok" packets. First, we never verify whether the line already ends after "ok", but directly go ahead and also try to skip the expected space after "ok". Second, we then go ahead and use `strchr` to scan for the terminating newline character. But in case where the line isn't terminated correctly, this can overflow the line buffer. Fix the issues by using `git__prefixncmp` to check for the "ok " prefix and only checking for a trailing '\n' instead of using `memchr`. This also fixes the issue of us always requiring a trailing '\n'. Reported by oss-fuzz, issue 9749: Crash Type: Heap-buffer-overflow READ {*} Crash Address: 0x6310000389c0 Crash State: ok_pkt git_pkt_parse_line git_smart__store_refs Sanitizer: address (ASAN)
bc349045	2018-08-09T10:38:10	smart_pkt: fix buffer overflow when parsing "ACK" packets We are being quite lenient when parsing "ACK" packets. First, we didn't correctly verify that we're not overrunning the provided buffer length, which we fix here by using `git__prefixncmp` instead of `git__prefixcmp`. Second, we do not verify that the actual contents make any sense at all, as we simply ignore errors when parsing the ACKs OID and any unknown status strings. This may result in a parsed packet structure with invalid contents, which is being silently passed to the caller. This is being fixed by performing proper input validation and checking of return codes.
365d2720	2018-10-03T15:39:40	tests: verify parsing logic for smart packets The commits following this commit are about to introduce quite a lot of refactoring and tightening of the smart packet parser. Unfortunately, we do not yet have any tests despite our online tests that verify that our parser does not regress upon changes. This is doubly unfortunate as our online tests aren't executed by default. Add new tests that exercise the smart parsing logic directly by executing `git_pkt_parse_line`.
1621a37d	2018-09-29T13:22:59	Merge pull request #4812 from libgit2/ethomson/ci-refactor CI: refactoring
0530d7d9	2018-09-28T18:04:23	Merge pull request #4767 from pks-t/pks/config-mem In-memory configuration
2be39cef	2018-08-10T19:38:57	config: introduce new read-only in-memory backend Now that we have abstracted away how to store and retrieve config entries, it became trivial to implement a new in-memory backend by making use of this. And thus we do so. This commit implements a new read-only in-memory backend that can parse a chunk of memory into a `git_config_backend` structure.
b944e137	2018-08-10T13:03:33	config: rename "config_file.h" to "config_backend.h" The header "config_file.h" has a list of inline-functions to access the contents of a config backend without directly messing with the struct's function pointers. While all these functions are called "git_config_file_", they are in fact completely backend-agnostic and don't care whether it is a file or not. Rename all the function to instead be backend-agnostic versions called "git_config_backend_" and rename the header to match.
ba1cd495	2018-09-28T11:10:49	Merge pull request #4784 from tiennou/fix/warnings Some warnings
367f6243	2018-09-28T11:04:06	Merge pull request #4803 from tiennou/fix/4802 index: release the snapshot instead of freeing the index
fa48d2ea	2018-09-26T19:15:35	vector: do not malloc 0-length vectors on dup
be4717d2	2018-09-18T12:12:06	path: fix "comparison always true" warning
e84914fd	2018-09-20T20:11:36	online::clone: free url and username before resetting Before resetting the url and username, ensure that we free them in case they were set by environment variables.
943181c2	2018-09-10T12:36:51	Revert "clar: introduce CLAR_XML option" This reverts commit a2d73f5643814cddf90d5bf489332e14ada89ab8. Using clar to propagate the XML settings was a mistake.
d17e67d0	2018-09-08T18:54:21	clar: iterate errors in report_all / report_errors Instead of trying to have a clever iterator pattern that increments the error number, just iterate over errors in the report errors or report all functions as it's easier to reason about in this fashion.
e595eeb5	2018-08-27T01:06:37	ci: use more compatible strftime formats Windows lacks %F and %T formats for strftime. Expand them to the year/month/day and hour/minute/second formats, respectively.
b67a93ff	2018-09-04T14:00:49	clar: remove globals; error-check fprintf/fclose Remove the global summary filename and file pointer; pass them in to the summary functions as needed. Error check the results of buffered I/O calls.
a2d73f56	2018-08-24T11:23:19	clar: introduce CLAR_XML option Introduce a CLAR_XML option, to run the `ctest` commands with the new `-r` flag to clar. Permitted values are `OFF`, `ON` and a directory to write the XML test results to.
baa5c20d	2018-08-26T15:31:14	clar: accept a value for the summary filename Accept an (optional) value for the summary filename. Continues to default to summary.xml.
dbebcb04	2018-08-26T15:25:15	clar: don't use a variable named `time`
59f1e477	2018-07-27T23:00:09	Barebones JUnit XML output
3a9b9631	2018-07-26T23:02:34	Documentation
bf9fc126	2018-07-26T23:02:20	Isolate test reports This makes it possible to keep track of every test status (even successful ones), and their errors, if any.
90753a96	2018-08-26T15:11:21	clar: refactor explicitly run test behavior Previously, supplying `-s` to explicitly enable some test(s) would run the tests immediately from the argument parser. This forces us to set up the entire clar environment (for example: sandboxing) before argument parsing takes place. Refactor the behavior of `-s` to add the explicitly chosen tests to a list that is executed later. This untangles the argument parsing from the setup lifecycle, allowing us to use the arguments to perform the setup.
85eb2cb6	2018-08-26T11:33:42	Merge pull request #4727 from libgit2/cmn/null-oid-existing-tree tree: accept null ids in existing trees when updating
50186ce8	2018-08-26T11:26:45	Merge pull request #4374 from pks-t/pks/pack-file-verify Pack file verification
fd7ab1d7	2018-08-24T09:47:09	Merge pull request #4776 from pks-t/pks/test-index-invalid-filemode tests: verify adding index conflicts with invalid filemodes fails
503af775	2018-08-24T10:08:09	Merge pull request #4769 from tiennou/fix/worktree-unlock worktree: unlock should return 1 when the worktree isn't locked
3a1f5df8	2018-08-24T09:15:29	tests: verify adding index conflicts with invalid filemodes fails Commit 581d5492f (Fix leak in index.c, 2018-08-16) was fixing a memory leak in our code adding conflicts to the index when the added index entries have an invalid file mode. The memory leak was previously undiscovered as there are no tests covering this scenario, which is now being added by this commit.
cada553c	2018-08-19T15:54:10	Merge pull request #4754 from libgit2/ethomson/threads threads::diff: use separate git_repository objects
2afd0185	2018-08-19T12:57:29	threads::iterator: use separate repository objects Our thread policies state that we cannot re-use the `git_repository` across threads. Our tests cannot deviate from that. Courtesy of Ximin Luo, https://github.com/infinity0: https://github.com/libgit2/libgit2/issues/4753#issuecomment-412247757
59c2e70e	2018-08-17T00:51:51	worktree: unlock should return 1 when the worktree isn't locked The documentation states that git_worktree_unlock returns 0 on success, and 1 on success if the worktree wasn't locked. Turns out we were returning 0 in any of those cases.
6698e056	2018-08-14T04:22:14	Fix the test and comment.
f1409500	2018-08-14T03:54:01	Write a test.
d1919485	2018-08-05T11:01:14	threads::diff: use separate git_repository objects Our thread policies state that we cannot re-use the `git_repository` across threads. Our tests cannot deviate from that.
f00db9ed	2018-07-27T12:00:37	tree: rename from_tree to validate and clarify the tree in the test
219512e7	2018-07-20T14:14:16	buf tests: allocate a smaller size for the oom On Linux (where we run valgrind) allocate a smaller buffer, but still an insanely large size. This will cause malloc to fail but will not cause valgrind to report a likely error with a negative-sized malloc. Keep the original buffer size on non-Linux platforms: this is well-tested on them and changing it may be problematic. On macOS, for example, using the new size causes `malloc` to print a warning to stderr.
ce798b25	2018-07-04T10:56:56	tests: simplify cmake test configuration Simplify the names for the tests, removing the unnecessary "libgit2-clar" prefix. Make "all" the new default test run, and include the online tests by default (since HTTPS should always be enabled). For the CI tests, create an offline-only test, then the various online tests.
d285de73	2018-07-20T21:52:24	push tests: deeply free the specs Don't just free the spec vector, also free the specs themselves.
dad99881	2018-07-20T21:51:36	push tests: deeply free the push status Don't just free the push status structure, actually free the strings that were strdup'd into the struct as well.
0652abaa	2018-07-20T12:56:49	Merge pull request #4702 from tiennou/fix/coverity Assorted Coverity fixes
2dff7e28	2018-07-18T21:04:13	tree: accept null ids in existing trees when updating When we add entries to a treebuilder we validate them. But we validate even those that we're adding because they exist in the base tree. This disables using the normal mechanisms on these trees, even to fix them. Keep track of whether the entry we're appending comes from an existing tree and bypass the name and id validation if it's from existing data.
e1a4a8eb	2018-06-25T11:58:34	cmake: enforce C90 standard While the aim of libgit2 was to conform to C90 code, we never instructed the compiler to enforce C90 compliance. Thus, quite a few violations were able to get into our code base, which have been removed with the previous commits. As we are now able to build libgit2 with C90 enforced, we can set the C_STANDARD property for our own build targets. Note that we explicitly avoid setting the C standard for our third-party dependencies. At least the zlib target does not build with C90 enforced, and we do not want to fix them by deviating from upstream. Thus we simply enforce no standard for them.
c13e56f9	2018-06-25T14:12:53	cmake: distinguish internal and system include directories While we want to enforce strict C90 mode, this may cause issues with system provided header files which are themselves not strictly conforming. E.g. if a system header has C++ style comments, a compiler in strict C90 mode would produce an error and abort the build. As the user most likely doesn't want to change the system header, this would completely break the build on such systems. One example of this is mbedtls, which provides such header files. The problem can be worked around by distinguishing between system-provided and project-provided include directories. When adding include directories via "-isystem" instead of "-I", the compiler will skip certain checks and print out less warnings. To use system includes, we can simply add the "SYSTEM" flag to CMake's `INCLUDE_DIRECTORIES` and `TARGET_INCLUDE_DIRECTORIES` functions. Note that we have to split the include directories into two variables because of this, as we definitely still want to check for all warnings produced by our own header files.
9994cd3f	2018-06-25T11:56:52	treewide: remove use of C++ style comments C++ style comment ("//") are not specified by the ISO C90 standard and thus do not conform to it. While libgit2 aims to conform to C90, we did not enforce it until now, which is why quite a lot of these non-conforming comments have snuck into our codebase. Do a tree-wide conversion of all C++ style comments to the supported C style comments to allow us enforcing strict C90 compliance in a later commit.
6dfc8bc2	2018-07-09T23:10:05	Merge pull request #4719 from pks-t/pks/delta-oob Delta OOB access
89091d36	2018-07-06T20:24:21	tests: fix a relative pathname issue The path given to `git_index_add_bypath` is relative to the root of the repository. That `describe/file` path is relative to the root of the sandbox directory, hence if I add the missing `cl_git_pass` I rightfully get an error that `$SANDBOX/describe/describe/file doesn't exist`. The path is thus changed to be made relative to the repository, which makes the failure go away and "restore" the test.
8455a270	2018-07-01T12:04:27	tests: add missing cl_git_pass to tests Reported by Coverity, CID 1393678-1393697.
17bd3b96	2018-06-19T20:15:49	tests: mailmap/parsing: add a missing cl_git_pass Reported by Coverity, CID 1393483
f4633791	2018-07-06T12:36:05	Merge pull request #4687 from tiennou/fix/4672 patch_parse: populate line numbers while parsing diffs
f2a1cece	2018-07-06T11:25:47	Merge pull request #4686 from tiennou/fix/more-worktree-from-bare Fix git_worktree_validate failing on bare repositories
8a00de08	2018-07-06T10:47:06	Merge pull request #4699 from nelhage/fetch-null-dst git_refspec_transform: Handle NULL dst
c43658f6	2018-06-30T13:24:23	Merge pull request #4536 from libgit2/ethomson/index_dirty Add a "dirty" state to the index when it has unsaved changes
ff8edac9	2018-06-29T16:18:36	formatting fix
bfa1f022	2018-06-22T19:17:08	settings: optional unsaved index safety Add the `GIT_OPT_ENABLE_UNSAVED_INDEX_SAFETY` option, which will cause commands that reload the on-disk index to fail if the current `git_index` has changed that have not been saved. This will prevent users from - for example - adding a file to the index then calling a function like `git_checkout` and having that file be silently removed from the index since it was re-read from disk. Now calls that would re-read the index will fail if the index is "dirty", meaning changes have been made to it but have not been written. Users can either `git_index_read` to discard those changes explicitly, or `git_index_write` to write them.
787768c2	2018-06-22T19:07:54	index: return a unique error code on dirty index When the index is dirty, return GIT_EINDEXDIRTY so that consumers can identify the exact problem programatically.
5e26391a	2018-06-18T18:28:08	checkout: FORCE doesn't halt on dirty index If the index is dirty, allow `GIT_CHECKOUT_FORCE` to obliterate unsaved changes. This is in keeping with its name and description.
b242cdbf	2017-11-17T00:19:07	index: commit the changes to the index properly Now that the index has a "dirty" state, where it has changes that have not yet been committed or rolled back, our tests need to be adapted to actually commit or rollback the changes instead of assuming that the index can be operated on in its indeterminate state.
dc4a18c7	2017-11-12T08:23:13	index: test dirty index bit Test that any changes to the index will mark the index as dirty. Also ensure that when we initialize a new index, read the index contents from disk, or write the index contents to disk that we reset the dirty flag to zero. Further ensure that an unforced read with dirty contents (when the on-disk index has not changed) does _not_ reset the dirty flag as we have not updated the contents of our index and our unsaved contents remain intact.
55a96606	2018-06-18T16:14:26	checkout tests: validate GIT_CHECKOUT_NO_REFRESH Add tests that ensure that we re-read the on-disk image by default during checkout, but when the `GIT_CHECKOUT_NO_REFRESH` option is specified, we do _not_ re-read the index.
8356bf7e	2018-06-29T14:39:14	tests: worktree/bare: test some paths
d0921127	2018-06-29T14:39:13	tests: add a helper to build sandbox subpaths quickly
83c35f7e	2018-06-29T14:39:11	tests: worktree/bare: fix git_worktree_validate
bd40f0d7	2018-06-29T14:39:10	tests: worktree/bare: check git_worktree_list
7e3c13e0	2018-06-29T14:39:08	tests: worktree/bare: gather all tests
af3088e4	2018-06-29T11:45:15	refspec: rename `git_refspec__free` to `git_refspec__dispose` Since commit 630a67366 (refspec: add public parsing api, 2018-02-07), we now have two functions `git_refspec_free` and `git_refspec__free`. The difference is that the first one will free the structure itself, while the second one will only free the structure's contents. Use our new `dispose` naming pattern for the latter function to help avoid confusion.
7192e26f	2018-06-29T09:43:33	Merge pull request #4519 from cynecx/refspec-parsing refspec: add public parsing api
24597812	2018-06-29T09:11:02	delta: fix out-of-bounds read of delta When computing the offset and length of the delta base, we repeatedly increment the `delta` pointer without checking whether we have advanced past its end already, which can thus result in an out-of-bounds read. Fix this by repeatedly checking whether we have reached the end. Add a test which would cause Valgrind to produce an error. Reported-by: Riccardo Schirone <rschiron@redhat.com> Test-provided-by: Riccardo Schirone <rschiron@redhat.com>
7db25870	2018-06-29T07:45:18	delta: fix sign-extension of big left-shift Our delta code was originally adapted from JGit, which itself adapted it from git itself. Due to this heritage, we inherited a bug from git.git in how we compute the delta offset, which was fixed upstream in 48fb7deb5 (Fix big left-shifts of unsigned char, 2009-06-17). As explained by Linus: Shifting 'unsigned char' or 'unsigned short' left can result in sign extension errors, since the C integer promotion rules means that the unsigned char/short will get implicitly promoted to a signed 'int' due to the shift (or due to other operations). This normally doesn't matter, but if you shift things up sufficiently, it will now set the sign bit in 'int', and a subsequent cast to a bigger type (eg 'long' or 'unsigned long') will now sign-extend the value despite the original expression being unsigned. One example of this would be something like unsigned long size; unsigned char c; size += c << 24; where despite all the variables being unsigned, 'c << 24' ends up being a signed entity, and will get sign-extended when then doing the addition in an 'unsigned long' type. Since git uses 'unsigned char' pointers extensively, we actually have this bug in a couple of places. In our delta code, we inherited such a bogus shift when computing the offset at which the delta base is to be found. Due to the sign extension we can end up with an offset where all the bits are set. This can allow an arbitrary memory read, as the addition in `base_len < off + len` can now overflow if `off` has all its bits set. Fix the issue by casting the result of `*delta++ << 24UL` to an unsigned integer again. Add a test with a crafted delta that would actually succeed with an out-of-bounds read in case where the cast wouldn't exist. Reported-by: Riccardo Schirone <rschiron@redhat.com> Test-provided-by: Riccardo Schirone <rschiron@redhat.com>
7330ae67	2018-06-26T10:45:57	index::addall tests: write the index When running `git_index_add_all`, we should write the index to disk so that we can re-read it safely during status.
08ea0d7d	2018-02-18T11:49:08	index::reuc tests: test that checkout succeeds The index::reuc tests must test that the checkout itself succeeds, otherwise subsequent tests are not valid. In fact, the checkouts were failing because when checking out `SAFE`, they cannot update the files that are in conflict. Change the checkout level to `FORCE` to ensure that they get updated correctly.
c4ce017f	2018-02-18T22:27:34	index::names tests: add conflicts with high stages We add entries into the main index to correspond with the NAME entries that we're going to test. NAME entries store the results of conflicts occuring with rename detection during merge, and they must correspond to conflicts in the index. This test was mistakenly adding regular entries. The checkout validation failed, since it requires NAME entries to correspond to high-stage (conflict) entries. Correct the test to actually create conflicts.
46c9f26f	2018-06-25T15:47:31	Add a test. Verified that this breaks before the fix and passes afterwards.
4fd81c53	2018-06-18T19:43:53	Clear revwalk sorting when resetting Currently we fail to clear the sorting flag for revwalks when resetting. This caused a poor interaction with the limited flag during a recent patch. This patch clears the revwalk sorting flag and causes it to no longer persist over resets.
630a6736	2018-02-07T22:30:27	refspec: add public parsing api Fix typo Fix some type issues More fixes Address requested changes Add test Fix naming Fix condition and tests Address requested changes Fix typo
65a4b06e	2017-11-12T10:43:28	tests: indexer: add test to exercise our connectivity checking The new connectivity tests are not currently being verified at all due to being turned off by default. Create two test cases for a pack file which fails our checks and one which suceeds.
c16556aa	2017-11-12T10:31:48	indexer: introduce options struct to `git_indexer_new` We strive to keep an options structure to many functions to be able to extend options in the future without breaking the API. `git_indexer_new` doesn't have one right now, but we want to be able to add an option for enabling strict packfile verification. Add a new `git_indexer_options` structure and adjust callers to use that.
f9e28026	2018-06-18T20:37:18	patch_parse: populate line numbers while parsing diffs
b5818dda	2018-06-18T13:05:08	Fix last references to deprecated git_buf_free Signed-off-by: Sven Strickroth <email@cs-ware.de>
f98131be	2018-06-17T00:40:25	Require the length argument to git_mailmap_from_buffer and make mailmap_add_buffer internal
9faf36a6	2018-06-14T22:48:58	mailmap: git_buf_free => git_buf_dispose
56303e1a	2018-05-07T11:59:00	mailmap: API and style cleanup
a140c138	2018-04-08T03:01:37	mailmap: Updates tests for new API and features
18ff9bab	2018-03-27T22:48:03	mailmap: API and style cleanup
57cfeab9	2018-03-26T15:05:37	mailmap: Switch mailmap parsing to use the git_parse module
aa3a24a4	2018-03-26T14:44:15	mailmap: Clean up the mailmap fixture's .gitted directory
5c6c8a9b	2018-03-18T01:26:30	mailmap: Fix some other minor style nits
4ff44be8	2018-03-17T18:24:15	mailmap: Fix more bugs which snuck in when I rebased
983b8c2d	2018-03-17T18:15:41	mailmap: Add a bunch of tests for the new mailmap functionality
939d8d57	2018-03-17T18:14:03	mailmap: Support path fixtures in cl_git_repository_init()
b88cbf8c	2018-03-18T01:40:47	mailmap: Add some super-basic tests
3be73011	2018-06-11T18:26:22	Merge pull request #4436 from pks-t/pks/packfile-stream-free pack: rename `git_packfile_stream_free`
96212813	2018-06-11T17:11:36	stash test: free the commit

a8d447f6

2018-10-05T20:13:34

Merge pull request #4837 from pks-t/cmn/reject-option-submodule-url-path submodule: ignore path and url attributes if they look like options

ce8803a2

2018-10-05T20:03:38

Merge pull request #4836 from pks-t/pks/smart-packets Smart packet security fixes

84d6f439

2018-10-05T19:53:22

Merge pull request #4832 from pks-t/pks/config-includes-null-deref config_file: properly ignore includes without "path" value

4e0bdaa8

2018-10-05T11:42:00

submodule: add failing test for option-injection protection in url and path

d06d4220

2018-10-05T10:56:02

config_file: properly ignore includes without "path" value In case a configuration includes a key "include.path=" without any value, the generated configuration entry will have its value set to `NULL`. This is unexpected by the logic handling includes, and as soon as we try to calculate the included path we will unconditionally dereference that `NULL` pointer and thus segfault. Fix the issue by returning early in both `parse_include` and `parse_conditional_include` in case where the `file` argument is `NULL`. Add a test to avoid future regression. The issue has been found by the oss-fuzz project, issue 10810.

bf662f7c

2018-10-05T10:55:29

tests: always unlink created config files While our tests in config::include create a plethora of configuration files, most of them do not get removed at the end of each test. This can cause weird interactions with tests that are being run at a later stage if these later tests try to create files or directories with the same name as any of the created configuration files. Fix the issue by unlinking all created files at the end of these tests.

dbb4a586

2018-10-05T10:27:33

tests: fix warning for implicit conversion of integer to pointer GCC warns by default when implicitly converting integers to pointers or the other way round, and commit fa48d2ea7 (vector: do not malloc 0-length vectors on dup, 2018-09-26) introduced such an implicit conversion into our vector tests. While this is totally fine in this test, as the pointer's value is never being used in the first place, we can trivially avoid the warning by instead just inserting a pointer for a variable allocated on the stack into the vector.

0b3dfbf4

2018-08-09T11:13:59

smart_pkt: reorder and rename parameters of `git_pkt_parse_line` The parameters of the `git_pkt_parse_line` function are quite confusing. First, there is no real indicator what the `out` parameter is actually all about, and it's not really clear what the `bufflen` parameter refers to. Reorder and rename the parameters to make this more obvious.

a9f1ca09

2018-08-09T11:01:00

smart_pkt: fix buffer overflow when parsing "ok" packets There are two different buffer overflows present when parsing "ok" packets. First, we never verify whether the line already ends after "ok", but directly go ahead and also try to skip the expected space after "ok". Second, we then go ahead and use `strchr` to scan for the terminating newline character. But in case where the line isn't terminated correctly, this can overflow the line buffer. Fix the issues by using `git__prefixncmp` to check for the "ok " prefix and only checking for a trailing '\n' instead of using `memchr`. This also fixes the issue of us always requiring a trailing '\n'. Reported by oss-fuzz, issue 9749: Crash Type: Heap-buffer-overflow READ {*} Crash Address: 0x6310000389c0 Crash State: ok_pkt git_pkt_parse_line git_smart__store_refs Sanitizer: address (ASAN)

bc349045

2018-08-09T10:38:10

smart_pkt: fix buffer overflow when parsing "ACK" packets We are being quite lenient when parsing "ACK" packets. First, we didn't correctly verify that we're not overrunning the provided buffer length, which we fix here by using `git__prefixncmp` instead of `git__prefixcmp`. Second, we do not verify that the actual contents make any sense at all, as we simply ignore errors when parsing the ACKs OID and any unknown status strings. This may result in a parsed packet structure with invalid contents, which is being silently passed to the caller. This is being fixed by performing proper input validation and checking of return codes.

365d2720

2018-10-03T15:39:40

tests: verify parsing logic for smart packets The commits following this commit are about to introduce quite a lot of refactoring and tightening of the smart packet parser. Unfortunately, we do not yet have any tests despite our online tests that verify that our parser does not regress upon changes. This is doubly unfortunate as our online tests aren't executed by default. Add new tests that exercise the smart parsing logic directly by executing `git_pkt_parse_line`.

1621a37d

2018-09-29T13:22:59

Merge pull request #4812 from libgit2/ethomson/ci-refactor CI: refactoring

0530d7d9

2018-09-28T18:04:23

Merge pull request #4767 from pks-t/pks/config-mem In-memory configuration

2be39cef

2018-08-10T19:38:57

config: introduce new read-only in-memory backend Now that we have abstracted away how to store and retrieve config entries, it became trivial to implement a new in-memory backend by making use of this. And thus we do so. This commit implements a new read-only in-memory backend that can parse a chunk of memory into a `git_config_backend` structure.

b944e137

2018-08-10T13:03:33

config: rename "config_file.h" to "config_backend.h" The header "config_file.h" has a list of inline-functions to access the contents of a config backend without directly messing with the struct's function pointers. While all these functions are called "git_config_file_*", they are in fact completely backend-agnostic and don't care whether it is a file or not. Rename all the function to instead be backend-agnostic versions called "git_config_backend_*" and rename the header to match.

ba1cd495

2018-09-28T11:10:49

Merge pull request #4784 from tiennou/fix/warnings Some warnings

367f6243

2018-09-28T11:04:06

Merge pull request #4803 from tiennou/fix/4802 index: release the snapshot instead of freeing the index

fa48d2ea

2018-09-26T19:15:35

vector: do not malloc 0-length vectors on dup

be4717d2

2018-09-18T12:12:06

path: fix "comparison always true" warning

e84914fd

2018-09-20T20:11:36

online::clone: free url and username before resetting Before resetting the url and username, ensure that we free them in case they were set by environment variables.

943181c2

2018-09-10T12:36:51

Revert "clar: introduce CLAR_XML option" This reverts commit a2d73f5643814cddf90d5bf489332e14ada89ab8. Using clar to propagate the XML settings was a mistake.

d17e67d0

2018-09-08T18:54:21

clar: iterate errors in report_all / report_errors Instead of trying to have a clever iterator pattern that increments the error number, just iterate over errors in the report errors or report all functions as it's easier to reason about in this fashion.

e595eeb5

2018-08-27T01:06:37

ci: use more compatible strftime formats Windows lacks %F and %T formats for strftime. Expand them to the year/month/day and hour/minute/second formats, respectively.

b67a93ff

2018-09-04T14:00:49

clar: remove globals; error-check fprintf/fclose Remove the global summary filename and file pointer; pass them in to the summary functions as needed. Error check the results of buffered I/O calls.

a2d73f56

2018-08-24T11:23:19

clar: introduce CLAR_XML option Introduce a CLAR_XML option, to run the `ctest` commands with the new `-r` flag to clar. Permitted values are `OFF`, `ON` and a directory to write the XML test results to.

baa5c20d

2018-08-26T15:31:14

clar: accept a value for the summary filename Accept an (optional) value for the summary filename. Continues to default to summary.xml.

dbebcb04

2018-08-26T15:25:15

clar: don't use a variable named `time`

59f1e477

2018-07-27T23:00:09

Barebones JUnit XML output

3a9b9631

2018-07-26T23:02:34

Documentation

bf9fc126

2018-07-26T23:02:20

Isolate test reports This makes it possible to keep track of every test status (even successful ones), and their errors, if any.

90753a96

2018-08-26T15:11:21

clar: refactor explicitly run test behavior Previously, supplying `-s` to explicitly enable some test(s) would run the tests immediately from the argument parser. This forces us to set up the entire clar environment (for example: sandboxing) before argument parsing takes place. Refactor the behavior of `-s` to add the explicitly chosen tests to a list that is executed later. This untangles the argument parsing from the setup lifecycle, allowing us to use the arguments to perform the setup.

85eb2cb6

2018-08-26T11:33:42

Merge pull request #4727 from libgit2/cmn/null-oid-existing-tree tree: accept null ids in existing trees when updating

50186ce8

2018-08-26T11:26:45

Merge pull request #4374 from pks-t/pks/pack-file-verify Pack file verification

fd7ab1d7

2018-08-24T09:47:09

Merge pull request #4776 from pks-t/pks/test-index-invalid-filemode tests: verify adding index conflicts with invalid filemodes fails

503af775

2018-08-24T10:08:09

Merge pull request #4769 from tiennou/fix/worktree-unlock worktree: unlock should return 1 when the worktree isn't locked

3a1f5df8

2018-08-24T09:15:29

tests: verify adding index conflicts with invalid filemodes fails Commit 581d5492f (Fix leak in index.c, 2018-08-16) was fixing a memory leak in our code adding conflicts to the index when the added index entries have an invalid file mode. The memory leak was previously undiscovered as there are no tests covering this scenario, which is now being added by this commit.

cada553c

2018-08-19T15:54:10

Merge pull request #4754 from libgit2/ethomson/threads threads::diff: use separate git_repository objects

2afd0185

2018-08-19T12:57:29

threads::iterator: use separate repository objects Our thread policies state that we cannot re-use the `git_repository` across threads. Our tests cannot deviate from that. Courtesy of Ximin Luo, https://github.com/infinity0: https://github.com/libgit2/libgit2/issues/4753#issuecomment-412247757

59c2e70e

2018-08-17T00:51:51

worktree: unlock should return 1 when the worktree isn't locked The documentation states that git_worktree_unlock returns 0 on success, and 1 on success if the worktree wasn't locked. Turns out we were returning 0 in any of those cases.

6698e056

2018-08-14T04:22:14

Fix the test and comment.

f1409500

2018-08-14T03:54:01

Write a test.

d1919485

2018-08-05T11:01:14

threads::diff: use separate git_repository objects Our thread policies state that we cannot re-use the `git_repository` across threads. Our tests cannot deviate from that.

f00db9ed

2018-07-27T12:00:37

tree: rename from_tree to validate and clarify the tree in the test

219512e7

2018-07-20T14:14:16

buf tests: allocate a smaller size for the oom On Linux (where we run valgrind) allocate a smaller buffer, but still an insanely large size. This will cause malloc to fail but will not cause valgrind to report a likely error with a negative-sized malloc. Keep the original buffer size on non-Linux platforms: this is well-tested on them and changing it may be problematic. On macOS, for example, using the new size causes `malloc` to print a warning to stderr.

ce798b25

2018-07-04T10:56:56

tests: simplify cmake test configuration Simplify the names for the tests, removing the unnecessary "libgit2-clar" prefix. Make "all" the new default test run, and include the online tests by default (since HTTPS should always be enabled). For the CI tests, create an offline-only test, then the various online tests.

d285de73

2018-07-20T21:52:24

push tests: deeply free the specs Don't just free the spec vector, also free the specs themselves.

dad99881

2018-07-20T21:51:36

push tests: deeply free the push status Don't just free the push status structure, actually free the strings that were strdup'd into the struct as well.

0652abaa

2018-07-20T12:56:49

Merge pull request #4702 from tiennou/fix/coverity Assorted Coverity fixes

2dff7e28

2018-07-18T21:04:13

tree: accept null ids in existing trees when updating When we add entries to a treebuilder we validate them. But we validate even those that we're adding because they exist in the base tree. This disables using the normal mechanisms on these trees, even to fix them. Keep track of whether the entry we're appending comes from an existing tree and bypass the name and id validation if it's from existing data.

e1a4a8eb

2018-06-25T11:58:34

cmake: enforce C90 standard While the aim of libgit2 was to conform to C90 code, we never instructed the compiler to enforce C90 compliance. Thus, quite a few violations were able to get into our code base, which have been removed with the previous commits. As we are now able to build libgit2 with C90 enforced, we can set the C_STANDARD property for our own build targets. Note that we explicitly avoid setting the C standard for our third-party dependencies. At least the zlib target does not build with C90 enforced, and we do not want to fix them by deviating from upstream. Thus we simply enforce no standard for them.

c13e56f9

2018-06-25T14:12:53

cmake: distinguish internal and system include directories While we want to enforce strict C90 mode, this may cause issues with system provided header files which are themselves not strictly conforming. E.g. if a system header has C++ style comments, a compiler in strict C90 mode would produce an error and abort the build. As the user most likely doesn't want to change the system header, this would completely break the build on such systems. One example of this is mbedtls, which provides such header files. The problem can be worked around by distinguishing between system-provided and project-provided include directories. When adding include directories via "-isystem" instead of "-I", the compiler will skip certain checks and print out less warnings. To use system includes, we can simply add the "SYSTEM" flag to CMake's `INCLUDE_DIRECTORIES` and `TARGET_INCLUDE_DIRECTORIES` functions. Note that we have to split the include directories into two variables because of this, as we definitely still want to check for all warnings produced by our own header files.

9994cd3f

2018-06-25T11:56:52

treewide: remove use of C++ style comments C++ style comment ("//") are not specified by the ISO C90 standard and thus do not conform to it. While libgit2 aims to conform to C90, we did not enforce it until now, which is why quite a lot of these non-conforming comments have snuck into our codebase. Do a tree-wide conversion of all C++ style comments to the supported C style comments to allow us enforcing strict C90 compliance in a later commit.

6dfc8bc2

2018-07-09T23:10:05

Merge pull request #4719 from pks-t/pks/delta-oob Delta OOB access

89091d36

2018-07-06T20:24:21

tests: fix a relative pathname issue The path given to `git_index_add_bypath` is relative to the root of the repository. That `describe/file` path is relative to the root of the sandbox directory, hence if I add the missing `cl_git_pass` I rightfully get an error that `$SANDBOX/describe/describe/file doesn't exist`. The path is thus changed to be made relative to the repository, which makes the failure go away and "restore" the test.

8455a270

2018-07-01T12:04:27

tests: add missing cl_git_pass to tests Reported by Coverity, CID 1393678-1393697.

17bd3b96

2018-06-19T20:15:49

tests: mailmap/parsing: add a missing cl_git_pass Reported by Coverity, CID 1393483

f4633791

2018-07-06T12:36:05

Merge pull request #4687 from tiennou/fix/4672 patch_parse: populate line numbers while parsing diffs

f2a1cece

2018-07-06T11:25:47

Merge pull request #4686 from tiennou/fix/more-worktree-from-bare Fix git_worktree_validate failing on bare repositories

8a00de08

2018-07-06T10:47:06

Merge pull request #4699 from nelhage/fetch-null-dst git_refspec_transform: Handle NULL dst

c43658f6

2018-06-30T13:24:23

Merge pull request #4536 from libgit2/ethomson/index_dirty Add a "dirty" state to the index when it has unsaved changes

ff8edac9

2018-06-29T16:18:36

formatting fix

bfa1f022

2018-06-22T19:17:08

settings: optional unsaved index safety Add the `GIT_OPT_ENABLE_UNSAVED_INDEX_SAFETY` option, which will cause commands that reload the on-disk index to fail if the current `git_index` has changed that have not been saved. This will prevent users from - for example - adding a file to the index then calling a function like `git_checkout` and having that file be silently removed from the index since it was re-read from disk. Now calls that would re-read the index will fail if the index is "dirty", meaning changes have been made to it but have not been written. Users can either `git_index_read` to discard those changes explicitly, or `git_index_write` to write them.

787768c2

2018-06-22T19:07:54

index: return a unique error code on dirty index When the index is dirty, return GIT_EINDEXDIRTY so that consumers can identify the exact problem programatically.

5e26391a

2018-06-18T18:28:08

checkout: FORCE doesn't halt on dirty index If the index is dirty, allow `GIT_CHECKOUT_FORCE` to obliterate unsaved changes. This is in keeping with its name and description.

b242cdbf

2017-11-17T00:19:07

index: commit the changes to the index properly Now that the index has a "dirty" state, where it has changes that have not yet been committed or rolled back, our tests need to be adapted to actually commit or rollback the changes instead of assuming that the index can be operated on in its indeterminate state.

dc4a18c7

2017-11-12T08:23:13

index: test dirty index bit Test that any changes to the index will mark the index as dirty. Also ensure that when we initialize a new index, read the index contents from disk, or write the index contents to disk that we reset the dirty flag to zero. Further ensure that an unforced read with dirty contents (when the on-disk index has not changed) does _not_ reset the dirty flag as we have not updated the contents of our index and our unsaved contents remain intact.

55a96606

2018-06-18T16:14:26

checkout tests: validate GIT_CHECKOUT_NO_REFRESH Add tests that ensure that we re-read the on-disk image by default during checkout, but when the `GIT_CHECKOUT_NO_REFRESH` option is specified, we do _not_ re-read the index.

8356bf7e

2018-06-29T14:39:14

tests: worktree/bare: test some paths

d0921127

2018-06-29T14:39:13

tests: add a helper to build sandbox subpaths quickly

83c35f7e

2018-06-29T14:39:11

tests: worktree/bare: fix git_worktree_validate

bd40f0d7

2018-06-29T14:39:10

tests: worktree/bare: check git_worktree_list

7e3c13e0

2018-06-29T14:39:08

tests: worktree/bare: gather all tests

af3088e4

2018-06-29T11:45:15

refspec: rename `git_refspec__free` to `git_refspec__dispose` Since commit 630a67366 (refspec: add public parsing api, 2018-02-07), we now have two functions `git_refspec_free` and `git_refspec__free`. The difference is that the first one will free the structure itself, while the second one will only free the structure's contents. Use our new `dispose` naming pattern for the latter function to help avoid confusion.

7192e26f

2018-06-29T09:43:33

Merge pull request #4519 from cynecx/refspec-parsing refspec: add public parsing api

24597812

2018-06-29T09:11:02

delta: fix out-of-bounds read of delta When computing the offset and length of the delta base, we repeatedly increment the `delta` pointer without checking whether we have advanced past its end already, which can thus result in an out-of-bounds read. Fix this by repeatedly checking whether we have reached the end. Add a test which would cause Valgrind to produce an error. Reported-by: Riccardo Schirone <rschiron@redhat.com> Test-provided-by: Riccardo Schirone <rschiron@redhat.com>

7db25870

2018-06-29T07:45:18

delta: fix sign-extension of big left-shift Our delta code was originally adapted from JGit, which itself adapted it from git itself. Due to this heritage, we inherited a bug from git.git in how we compute the delta offset, which was fixed upstream in 48fb7deb5 (Fix big left-shifts of unsigned char, 2009-06-17). As explained by Linus: Shifting 'unsigned char' or 'unsigned short' left can result in sign extension errors, since the C integer promotion rules means that the unsigned char/short will get implicitly promoted to a signed 'int' due to the shift (or due to other operations). This normally doesn't matter, but if you shift things up sufficiently, it will now set the sign bit in 'int', and a subsequent cast to a bigger type (eg 'long' or 'unsigned long') will now sign-extend the value despite the original expression being unsigned. One example of this would be something like unsigned long size; unsigned char c; size += c << 24; where despite all the variables being unsigned, 'c << 24' ends up being a signed entity, and will get sign-extended when then doing the addition in an 'unsigned long' type. Since git uses 'unsigned char' pointers extensively, we actually have this bug in a couple of places. In our delta code, we inherited such a bogus shift when computing the offset at which the delta base is to be found. Due to the sign extension we can end up with an offset where all the bits are set. This can allow an arbitrary memory read, as the addition in `base_len < off + len` can now overflow if `off` has all its bits set. Fix the issue by casting the result of `*delta++ << 24UL` to an unsigned integer again. Add a test with a crafted delta that would actually succeed with an out-of-bounds read in case where the cast wouldn't exist. Reported-by: Riccardo Schirone <rschiron@redhat.com> Test-provided-by: Riccardo Schirone <rschiron@redhat.com>

7330ae67

2018-06-26T10:45:57

index::addall tests: write the index When running `git_index_add_all`, we should write the index to disk so that we can re-read it safely during status.

08ea0d7d

2018-02-18T11:49:08

index::reuc tests: test that checkout succeeds The index::reuc tests must test that the checkout itself succeeds, otherwise subsequent tests are not valid. In fact, the checkouts were failing because when checking out `SAFE`, they cannot update the files that are in conflict. Change the checkout level to `FORCE` to ensure that they get updated correctly.

c4ce017f

2018-02-18T22:27:34

index::names tests: add conflicts with high stages We add entries into the main index to correspond with the NAME entries that we're going to test. NAME entries store the results of conflicts occuring with rename detection during merge, and they must correspond to conflicts in the index. This test was mistakenly adding regular entries. The checkout validation failed, since it requires NAME entries to correspond to high-stage (conflict) entries. Correct the test to actually create conflicts.

46c9f26f

2018-06-25T15:47:31

Add a test. Verified that this breaks before the fix and passes afterwards.

4fd81c53

2018-06-18T19:43:53

Clear revwalk sorting when resetting Currently we fail to clear the sorting flag for revwalks when resetting. This caused a poor interaction with the limited flag during a recent patch. This patch clears the revwalk sorting flag and causes it to no longer persist over resets.

630a6736

2018-02-07T22:30:27

refspec: add public parsing api Fix typo Fix some type issues More fixes Address requested changes Add test Fix naming Fix condition and tests Address requested changes Fix typo

65a4b06e

2017-11-12T10:43:28

tests: indexer: add test to exercise our connectivity checking The new connectivity tests are not currently being verified at all due to being turned off by default. Create two test cases for a pack file which fails our checks and one which suceeds.

c16556aa

2017-11-12T10:31:48

indexer: introduce options struct to `git_indexer_new` We strive to keep an options structure to many functions to be able to extend options in the future without breaking the API. `git_indexer_new` doesn't have one right now, but we want to be able to add an option for enabling strict packfile verification. Add a new `git_indexer_options` structure and adjust callers to use that.

f9e28026

2018-06-18T20:37:18

patch_parse: populate line numbers while parsing diffs

b5818dda

2018-06-18T13:05:08

Fix last references to deprecated git_buf_free Signed-off-by: Sven Strickroth <email@cs-ware.de>

f98131be

2018-06-17T00:40:25

Require the length argument to git_mailmap_from_buffer and make mailmap_add_buffer internal

9faf36a6

2018-06-14T22:48:58

mailmap: git_buf_free => git_buf_dispose

56303e1a

2018-05-07T11:59:00

mailmap: API and style cleanup

a140c138

2018-04-08T03:01:37

mailmap: Updates tests for new API and features

18ff9bab

2018-03-27T22:48:03

mailmap: API and style cleanup

57cfeab9

2018-03-26T15:05:37

mailmap: Switch mailmap parsing to use the git_parse module

aa3a24a4

2018-03-26T14:44:15

mailmap: Clean up the mailmap fixture's .gitted directory

5c6c8a9b

2018-03-18T01:26:30

mailmap: Fix some other minor style nits

4ff44be8

2018-03-17T18:24:15

mailmap: Fix more bugs which snuck in when I rebased

983b8c2d

2018-03-17T18:15:41

mailmap: Add a bunch of tests for the new mailmap functionality

939d8d57

2018-03-17T18:14:03

mailmap: Support path fixtures in cl_git_repository_init()

b88cbf8c

2018-03-18T01:40:47

mailmap: Add some super-basic tests

3be73011

2018-06-11T18:26:22

Merge pull request #4436 from pks-t/pks/packfile-stream-free pack: rename `git_packfile_stream_free`

96212813

2018-06-11T17:11:36

stash test: free the commit

thodg/libgit2/tests

tests

Log