kmx git

Commit	Date	Message
4209a512	2018-11-14T12:04:42	strntol: fix out-of-bounds reads when parsing numbers with leading sign When parsing a number, we accept a leading plus or minus sign to return a positive or negative number. When the parsed string has such a leading sign, we set up a flag indicating that the number is negative and advance the pointer to the next character in that string. This misses updating the number of bytes in the string, though, which is why the parser may later on do an out-of-bounds read. Fix the issue by correctly updating both the pointer and the number of remaining bytes. Furthermore, we need to check whether we actually have any bytes left after having advanced the pointer, as otherwise the auto-detection of the base may do an out-of-bonuds access. Add a test that detects the out-of-bound read. Note that this is not actually security critical. While there are a lot of places where the function is called, all of these places are guarded or irrelevant: - commit list: this operates on objects from the ODB, which are always NUL terminated any may thus not trigger the off-by-one OOB read. - config: the configuration is NUL terminated. - curl stream: user input is being parsed that is always NUL terminated - index: the index is read via `git_futils_readbuffer`, which always NUL terminates it. - loose objects: used to parse the length from the object's header. As we check previously that the buffer contains a NUL byte, this is safe. - rebase: this parses numbers from the rebase instruction sheet. As the rebase code uses `git_futils_readbuffer`, the buffer is always NUL terminated. - revparse: this parses a user provided buffer that is NUL terminated. - signature: this parser the header information of objects. As objects read from the ODB are always NUL terminated, this is a non-issue. The constructor `git_signature_from_buffer` does not accept a length parameter for the buffer, so the buffer needs to be NUL terminated, as well. - smart transport: the buffer that is parsed is NUL terminated - tree cache: this parses the tree cache from the index extension. The index itself is read via `git_futils_readbuffer`, which always NUL terminates it. - winhttp transport: user input is being parsed that is always NUL terminated
50d09407	2018-10-29T18:05:27	strntol: fix detection and skipping of base prefixes The `git__strntol` family of functions has the ability to auto-detect a number's base if the string has either the common '0x' prefix for hexadecimal numbers or '0' prefix for octal numbers. The detection of such prefixes and following handling has two major issues though that are being fixed in one go now. - We do not do any bounds checking previous to verifying the '0x' base. While we do verify that there is at least one digit available previously, we fail to verify that there are two digits available and thus may do an out-of-bounds read when parsing this two-character-prefix. - When skipping the prefix of such numbers, we only update the pointer length without also updating the number of remaining bytes. Thus if we try to parse a number '0x1' of total length 3, we will first skip the first two bytes and then try to read 3 bytes starting at '1'. Fix both issues by disentangling the logic. Instead of doing the detection and skipping of such prefixes in one go, we will now first try to detect the base while also honoring how many bytes are left. Only if we have a valid base that is either 8 or 16 and have one of the known prefixes, we will now advance the pointer and update the remaining bytes in one step. Add some tests that verify that no out-of-bounds parsing happens and that autodetection works as advertised.
41863a00	2018-10-29T17:19:58	strntol: fix out-of-bounds read when skipping leading spaces The `git__strntol` family of functions accepts leading spaces and will simply skip them. The skipping will not honor the provided buffer's length, though, which may lead it to read outside of the provided buffer's bounds if it is not a simple NUL-terminated string. Furthermore, if leading space is trimmed, the function will further advance the pointer but not update the number of remaining bytes, which may also lead to out-of-bounds reads. Fix the issue by properly paying attention to the buffer length and updating it when stripping leading whitespace characters. Add a test that verifies that we won't read past the provided buffer length.
623647af	2018-10-26T12:33:59	Merge pull request #4864 from pks-t/pks/object-parse-fixes Object parse fixes
83e8a6b3	2018-10-18T16:08:46	util: provide `git__memmem` function Unfortunately, neither the `memmem` nor the `strnstr` functions are part of any C standard but are merely extensions of C that are implemented by e.g. glibc. Thus, there is no standardized way to search for a string in a block of memory with a limited size, and using `strstr` is to be considered unsafe in case where the buffer has not been sanitized. In fact, there are some uses of `strstr` in exactly that unsafe way in our codebase. Provide a new function `git__memmem` that implements the `memmem` semantics. That is in a given haystack of `n` bytes, search for the occurrence of a byte sequence of `m` bytes and return a pointer to the first occurrence. The implementation chosen is the "Not So Naive" algorithm from [1]. It was chosen as the implementation is comparably simple while still being reasonably efficient in most cases. Preprocessing happens in constant time and space, searching has a time complexity of O(n*m) with a slightly sub-linear average case. [1]: http://www-igm.univ-mlv.fr/~lecroq/string/
ea19efc1	2018-10-18T15:08:56	util: fix out of bounds read in error message When an integer that is parsed with `git__strntol32` is too big to fit into an int32, we will generate an error message that includes the actual string that failed to parse. This does not acknowledge the fact that the string may either not be NUL terminated or alternative include additional characters after the number that is to be parsed. We may thus end up printing characters into the buffer that aren't the number or, worse, read out of bounds. Fix the issue by utilizing the `endptr` that was set by `git__strntol64`. This pointer is guaranteed to be set to the first character following the number, and we can thus use it to compute the width of the number that shall be printed. Create a test to verify that we correctly truncate the number.
39087ab8	2018-10-18T12:11:33	tests: core::strtol: test for some more edge-cases Some edge cases were currently completely untested, e.g. parsing numbers greater than INT64_{MIN,MAX}, truncating buffers by length and invalid characters. Add tests to verify that the system under test performs as expected.
8d7fa88a	2018-10-18T12:04:07	util: remove `git__strtol32` The function `git__strtol32` can easily be misused when untrusted data is passed to it that may not have been sanitized with trailing `NUL` bytes. As all usages of this function have now been removed, we can remove this function altogether to avoid future misuse of it.
68deb2cc	2018-10-18T11:37:10	util: remove unsafe `git__strtol64` function The function `git__strtol64` does not take a maximum buffer length as parameter. This has led to some unsafe usages of this function, and as such we may consider it as being unsafe to use. As we have now eradicated all usages of this function, let's remove it completely to avoid future misuse.
838a2f29	2018-10-07T12:00:48	Merge pull request #4828 from csware/git_futils_rmdir_r_failing Add some more tests for git_futils_rmdir_r and some cleanup
ad273718	2018-10-04T10:32:07	tests: sanitize file hierarchy after running rmdir tests Currently, we do not clean up after ourselves after tests in core::rmdir have created new files in the directory hierarchy. This may leave stale files and/or directories after having run tests, confusing subsequent tests that expect a pristine test environment. Most importantly, it may cause the test initialization to fail which expects being able to re-create the testing hierarchy before each test in case where another test hasn't cleaned up after itself. Fix the issue by adding a cleanup function that removes the temporary testing hierarchy after each test if it still exists.
e886ab46	2018-10-02T19:50:29	tests: Add some more tests for git_futils_rmdir_r Signed-off-by: Sven Strickroth <email@cs-ware.de>
dbb4a586	2018-10-05T10:27:33	tests: fix warning for implicit conversion of integer to pointer GCC warns by default when implicitly converting integers to pointers or the other way round, and commit fa48d2ea7 (vector: do not malloc 0-length vectors on dup, 2018-09-26) introduced such an implicit conversion into our vector tests. While this is totally fine in this test, as the pointer's value is never being used in the first place, we can trivially avoid the warning by instead just inserting a pointer for a variable allocated on the stack into the vector.
ba1cd495	2018-09-28T11:10:49	Merge pull request #4784 from tiennou/fix/warnings Some warnings
fa48d2ea	2018-09-26T19:15:35	vector: do not malloc 0-length vectors on dup
be4717d2	2018-09-18T12:12:06	path: fix "comparison always true" warning
9994cd3f	2018-06-25T11:56:52	treewide: remove use of C++ style comments C++ style comment ("//") are not specified by the ISO C90 standard and thus do not conform to it. While libgit2 aims to conform to C90, we did not enforce it until now, which is why quite a lot of these non-conforming comments have snuck into our codebase. Do a tree-wide conversion of all C++ style comments to the supported C style comments to allow us enforcing strict C90 compliance in a later commit.
ecf4f33a	2018-02-08T11:14:48	Convert usage of `git_buf_free` to new `git_buf_dispose`
e3d764a4	2018-03-29T22:14:12	tests: clarify comment
86219f40	2017-11-30T15:40:13	util: introduce `git__prefixncmp` and consolidate implementations Introduce `git_prefixncmp` that will search up to the first `n` characters of a string to see if it is prefixed by another string. This is useful for examining if a non-null terminated character array is prefixed by a particular substring. Consolidate the various implementations of `git__prefixcmp` around a single core implementation and add some test cases to validate its behavior.
e9369856	2017-03-21T00:25:15	stream: Gather streams to src/streams
08c1b8fc	2017-08-28T21:24:13	cmake: simplify some HTTPS tests
89a34828	2017-06-16T13:34:43	diff: implement function to calculate patch ID The upstream git project provides the ability to calculate a so-called patch ID. Quoting from git-patch-id(1): A "patch ID" is nothing but a sum of SHA-1 of the file diffs associated with a patch, with whitespace and line numbers ignored." Patch IDs can be used to identify two patches which are probably the same thing, e.g. when a patch has been cherry-picked to another branch. This commit implements a new function `git_diff_patchid`, which gets a patch and derives an OID from the diff. Note the different terminology here: a patch in libgit2 are the differences in a single file and a diff can contain multiple patches for different files. The implementation matches the upstream implementation and should derive the same OID for the same diff. In fact, some code has been directly derived from the upstream implementation. The upstream implementation has two different modes to calculate patch IDs, which is the stable and unstable mode. The old way of calculating the patch IDs was unstable in a sense that a different ordering the diffs was leading to different results. This oversight was fixed in git 1.9, but as git tries hard to never break existing workflows, the old and unstable way is still default. The newer and stable way does not care for ordering of the diff hunks, and in fact it is the mode that should probably be used today. So right now, we only implement the stable way of generating the patch ID.
8296da5f	2017-06-14T10:49:28	Merge pull request #4267 from mohseenrm/master adding GIT_FILTER_VERSION to GIT_FILTER_INIT as part of convention
a78441bc	2017-06-13T11:05:40	Adding git_filter_init for initializing `git_filter` struct + unit test
95170294	2017-06-13T11:08:28	tests: core: test initialization of `git_proxy_options` Initialization of the `git_proxy_options` structure is never tested anywhere. Include it in our usual initialization test in "core::structinit::compare".
8a5e7aae	2017-05-22T12:53:44	varint: fix computation for remaining buffer space When encoding varints to a buffer, we want to remain sure that the required buffer space does not exceed what is actually available. Our current check does not do the right thing, though, in that it does not honor that our `pos` variable counts the position down instead of up. As such, we will require too much memory for small varints and not enough memory for big varints. Fix the issue by correctly calculating the required size as `(sizeof(varint) - pos)`. Add a test which failed before.
417319cc	2017-04-25T10:14:37	tests: core::features: only check for HTTPS if it is supported
983979fa	2017-03-22T19:52:38	inet_pton: don't assume addr families don't exist Address family 5 might exist on some crazy system like Haiku. Use `INT_MAX-1` as an unsupported address family.
31059923	2017-03-20T12:16:18	Merge pull request #4169 from csware/absolute-symlink
c10ce7c2	2017-03-20T12:11:05	tests: filebuf: test writing to symlink with absolute paths
d087c8f8	2017-02-24T14:14:56	hash: test for sha1 collision attack detection
40170177	2017-02-25T10:21:59	Fix inet_pton tests triggering an assert in Haiku Haiku will assert in a nightly build if the "dst" input to inet_pton() is NULL.
0d716905	2017-01-27T15:23:15	oidmap: remove GIT__USE_OIDMAP macro
13c3bc9a	2017-01-27T14:32:23	strmap: remove GIT__USE_STRMAP macro
73028af8	2017-01-27T14:20:24	khash: avoid using macro magic to get return address
85d2748c	2017-01-27T14:05:10	khash: avoid using `kh_key`/`kh_val` as lvalue
f31cb45a	2017-01-25T15:31:12	khash: avoid using `kh_put` directly
cb18386f	2017-01-25T14:26:58	khash: avoid using `kh_val`/`kh_value` directly
a853c527	2017-01-25T14:14:32	khash: avoid using `kh_get` directly
64e46dc3	2017-01-25T14:14:12	khash: avoid using `kh_end` directly
9e8d75c7	2017-02-08T11:41:10	path: ensure dirname on Win32 prefix always has a trailing '/' When calling `git_path_dirname_r` on a Win32 prefix, e.g. a drive or network share prefix, we always want to return the trailing '/'. This does not work currently when passing in a path like 'C:', where the '/' would not be appended correctly. Fix this by appending a '/' if we try to normalize a Win32 prefix and there is no trailing '/'.
5d59520c	2017-02-07T20:30:11	path: get correct dirname for Windows root Getting the dirname of a filesystem root should return the filesystem root itself. E.g. the dirname of "/" is always "/". On Windows, we emulate this behavior and as such, we should return e.g. "C:/" if calling dirname on "C:/". But we currently fail to do so and instead return ".", as we do not check if we actually have a Windows prefix before stripping off the last directory component. Fix this by calling out to `win32_prefix_length` immediately after stripping trailing slashes, returning early if we have a prefix.
410855fc	2016-12-17T18:18:30	sysdir: add failing test for variable substitution When given $PATH as part of a search path, we guess again instead of substituting what the user already set.
99479062	2016-11-18T16:50:34	core::init tests: reverse init/shutdown We want a predictable number of initializations in our multithreaded init test, but we also want to make sure that we have _actually_ initialized `git_libgit2_init` before calling `git_thread_create` (since it now has a sanity check that `git_libgit2_init` has been called). Since `git_thread_create` is internal-only, keep this sanity check. Flip the invocation so that we `git_libgit2_init` before our thread tests and `git_libgit2_shutdown` again after.
5fe5557e	2016-11-04T18:18:46	Merge pull request #3974 from libgit2/pks/synchronize-shutdown global: synchronize initialization and shutdown with pthreads
1c33ecc4	2016-11-01T14:30:38	tests: core: test deinitialization and concurrent initialization Exercise the logic surrounding deinitialization of the libgit2 library as well as repeated concurrent de- and reinitialization. This tries to catch races and makes sure that it is possible to reinitialize libgit2 multiple times. After deinitializing libgit2, we have to make sure to setup options required for testing. Currently, this only includes setting up the configuration search path again. Before, this has been set up once in `tests/main.c`.
95fa3880	2016-10-28T16:07:40	pqueue: resolve possible NULL pointer dereference The `git_pqueue` struct allows being fixed in its total number of entries. In this case, we simply throw away items that are inserted into the priority queue by examining wether the new item to be inserted has a higher priority than the previous smallest one. This feature somewhat contradicts our pqueue implementation in that it is allowed to not have a comparison function. In fact, we also fail to check if the comparison function is actually set in the case where we add a new item into a fully filled fixed-size pqueue. As we cannot determine which item is the smallest item in absence of a comparison function, we fix the `NULL` pointer dereference by simply dropping all new items which are about to be inserted into a full fixed-size pqueue.
61ad9bcd	2016-10-27T11:26:52	tests: vector: fix memory leak
36117978	2016-10-06T18:30:30	Fix the existence check for `regcomp_l`. `xlocale.h` only defines `regcomp_l` if `regex.h` was included as well. Also change the test cases to actually test `p_regcomp` works with a multibyte locale.
45dc219f	2016-10-07T16:01:28	Merge pull request #3921 from libgit2/cmn/walk-limit-enough Improve revision walk preparation logic
ab96ca55	2016-10-06T13:15:31	Make sure we use the `C` locale for `regcomp` on macOS.
0bd43371	2016-09-23T12:42:33	vector, pqueue: add git_vector_reverse and git_pqueue_reverse This is a convenience function to reverse the contents of a vector and a pqueue in-place. The pqueue function is useful in the case where we're treating it as a LIFO queue.
aeb5ee5a	2016-05-17T15:40:46	varint: Add varint encoding/decoding This code is ported from git.git Signed-off-by: Junio C Hamano <gitster@pobox.com> Signed-off-by: David Turner <dturner@twopensource.com>
78b500bf	2016-08-04T12:45:19	Merge pull request #3850 from wildart/custom-tls Enable https transport for custom TLS streams
bdec62dc	2016-07-06T13:06:25	remove conditions that prevent use of custom TLS stream
c18a2bc4	2016-07-05T15:51:01	Merge pull request #3851 from txdv/get-user-agent Add get user agent functionality.
f1dba144	2016-07-05T09:41:51	Add get user agent functionality.
70b9b841	2016-06-28T20:19:52	Fixed bug while parsing INT64_MIN
53571f2f	2015-11-21T15:16:01	vector: more sensible names for `grow_at`/`shrink_at`
e564fc65	2015-09-25T12:41:15	git_vector_grow/shrink: correct shrink, and tests
6278fbc5	2015-09-24T09:40:42	patch parsing: squash some memory leaks
b8dc2fdb	2015-07-09T18:36:53	zstream: fail when asked to inflate garbage When we are provided some input buffer (with a length) to inflate, and it contains more data than simply the deflated data, fail. zlib will helpfully tell us when it is done reading (via Z_STREAM_END), so if there is data leftover in the input buffer, fail lest we continually try to inflate it.
5b78dbdb	2015-07-09T13:04:10	git_buf: decode base85 inputs
b88f1713	2015-06-17T08:07:34	zstream: offer inflating, `git_zstream_inflatebuf` Introduce `git_zstream_inflatebuf` for simple uses.
04f47a43	2016-04-06T10:37:30	tests: fix core/stream test when built with openssl off When passing -DUSE_OPENSSL:BOOL=OFF to cmake the testsuite will fail with the following error: core::stream::register_tls [/tmp/libgit2/tests/core/stream.c:40] Function call failed: (error) error -1 - <no message> Fix test to assume failure for tls when built without openssl. While at it also fix GIT_WIN32 cpp to check if it's defined or not.
f5c874a4	2016-03-29T14:47:31	Plug a few leaks
ba6f86eb	2016-03-18T17:33:46	Introduce `git_path_common_dirlen`
e2e4bae9	2016-03-22T00:18:44	tree: drop the now-unnecessary entries vector Remove the now-unnecessary entries vector. Add `git_array_search` to binary search through an array to accomplish this.
6cc4bac8	2016-02-28T11:31:10	Merge pull request #3577 from rossdylan/rossdylan/pooldebug Add a new build flag to disable the pool allocator
7bab2e8f	2016-02-22T23:04:40	git_libgit2_opts: validate key
35439f59	2016-02-11T12:24:21	win32: introduce p_timeval that isn't stupid Windows defines `timeval` with `long`, which we cannot sanely cope with. Instead, use a custom timeval struct.
ed0571f8	2016-01-12T16:08:38	Add a new build flag to disable the pool allocator and pass all git_pool_malloc calls straight to git__malloc
87428c55	2015-11-20T20:48:51	Fix some warnings
7ff7ca62	2015-11-12T20:51:01	pool: Never return unaligned buffers
75a0ccf5	2015-11-12T19:53:09	Merge pull request #3170 from CmdrMoozy/nsec_fix git_index_entry__init_from_stat: set nsec fields in entry stats
2c26c867	2015-11-12T19:22:31	Merge pull request #3499 from ethomson/ref_dir_errmsgs Improve error messages when dirs prevent ref/reflog creation
de870533	2015-10-02T03:43:11	settings: add a setter for a custom user-agent
ec50b23a	2015-11-03T17:02:07	filebuf: detect directories in our way When creating a filebuf, detect a directory that exists in our target file location. This prevents a failure later, when we try to move the lock file to the destination.
7fafde63	2015-10-13T11:25:41	stream: allow registering a user-provided TLS constructor This allows the application to use their own TLS stream, regardless of the capabilities of libgit2 itself.
66eb7660	2015-10-28T10:29:00	pool: Handle 32 bit systems
1e5e02b4	2015-10-27T17:26:04	pool: Simplify implementation
c7b17fb5	2015-10-01T18:01:32	Merge branch 'master' into nsec_fix_next
5c5df666	2015-09-27T23:32:20	Plug some leaks
2be78557	2015-06-02T12:45:30	caps: add test for GIT_FEATURES_NSEC
e24c60db	2015-09-17T09:42:05	mkdir: find component paths for mkdir_relative `git_futils_mkdir` does not blindly call `git_futils_mkdir_relative`. `git_futils_mkdir_relative` is used when you have some base directory and want to create some path inside of it, potentially removing blocking symlinks and files in the process. This is not suitable for a general recursive mkdir within the filesystem. Instead, when `mkdir` is being recursive, locate the first existent parent directory and use that as the base for `mkdir_relative`.
0862ec2e	2015-09-17T09:58:38	core::mkdir tests: ensure we don't stomp symlinks in mkdir In `mkdir` and `mkdir_r`, ensure that we don't try to remove symlinks that are in our way.
08df6630	2015-09-16T18:07:56	core::mkdir tests: include absolute mkdirs
ac2fba0e	2015-09-16T15:07:27	git_futils_mkdir_*: make a relative-to-base mkdir Untangle git_futils_mkdir from git_futils_mkdir_ext - the latter assumes that we own everything beneath the base, as if it were being called with a base of the repository or working directory, and is tailored towards checkout and ensuring that there is no bogosity beneath the base that must be cleaned up. This is (at best) slow and (at worst) unsafe in the larger context of a filesystem where we do not own things and cannot do things like unlink symlinks that are in our way.
2cde210d	2015-09-13T13:52:19	diriter: test we can iterate root Ensure that we can iterate the filesystem root and that paths come back well-formed, not with an additional '/'. (eg, when iterating `c:/`, expect that we do not get some path like `c://autoexec.bat`).
8e736a73	2015-09-08T15:48:44	futils: ensure we can write a hidden file
ea3f2c29	2015-09-08T14:35:53	filebuf: ensure we can lock a hidden file
d83b2e9f	2015-09-05T03:54:06	filebuf: follow symlinks when creating a lock file We create a lockfile to update files under GIT_DIR. Sometimes these files are actually located elsewhere and a symlink takes their place. In that case we should lock and update the file at its final location rather than overwrite the symlink.
ef4857c2	2015-08-03T16:50:27	errors: tighten up git_error_state OOMs a bit more When an error state is an OOM, make sure that we treat is specially and do not try to free it.
988ea594	2015-07-27T10:13:49	Test: check restored oom error points to static buffer
5ef4b860	2015-07-23T13:16:19	Add failing test for capture/restore oom error
19d9beb7	2015-07-24T19:22:41	filebuf: remove lockfile upon rename errors When we have an error renaming the lockfile, we need to make sure that we remove it upon cleanup. For this, we need to keep track of whether we opened the file and whether the rename succeeded. If we did create the lockfile but the rename did not succeed, we remove the lockfile. This won't protect against all errors, but the most common ones (target file is open) does get handled.
668053be	2015-07-24T18:44:29	filebuf: failing test for leaving the lockfile when failing to rename When we fail to rename, we currently leave the lockfile laying around. This shows that behaviour.
e069c621	2015-07-02T09:25:48	git__getenv: utf-8 aware env reader Introduce `git__getenv` which is a UTF-8 aware `getenv` everywhere. Make `cl_getenv` use this to keep consistent memory handling around return values (free everywhere, as opposed to only some platforms).
a6599235	2015-06-24T19:32:56	buffer: make use of EINVALID for growing a borrowed buffer This explains more closely what happens. While here, set an error message.

4209a512

2018-11-14T12:04:42

strntol: fix out-of-bounds reads when parsing numbers with leading sign When parsing a number, we accept a leading plus or minus sign to return a positive or negative number. When the parsed string has such a leading sign, we set up a flag indicating that the number is negative and advance the pointer to the next character in that string. This misses updating the number of bytes in the string, though, which is why the parser may later on do an out-of-bounds read. Fix the issue by correctly updating both the pointer and the number of remaining bytes. Furthermore, we need to check whether we actually have any bytes left after having advanced the pointer, as otherwise the auto-detection of the base may do an out-of-bonuds access. Add a test that detects the out-of-bound read. Note that this is not actually security critical. While there are a lot of places where the function is called, all of these places are guarded or irrelevant: - commit list: this operates on objects from the ODB, which are always NUL terminated any may thus not trigger the off-by-one OOB read. - config: the configuration is NUL terminated. - curl stream: user input is being parsed that is always NUL terminated - index: the index is read via `git_futils_readbuffer`, which always NUL terminates it. - loose objects: used to parse the length from the object's header. As we check previously that the buffer contains a NUL byte, this is safe. - rebase: this parses numbers from the rebase instruction sheet. As the rebase code uses `git_futils_readbuffer`, the buffer is always NUL terminated. - revparse: this parses a user provided buffer that is NUL terminated. - signature: this parser the header information of objects. As objects read from the ODB are always NUL terminated, this is a non-issue. The constructor `git_signature_from_buffer` does not accept a length parameter for the buffer, so the buffer needs to be NUL terminated, as well. - smart transport: the buffer that is parsed is NUL terminated - tree cache: this parses the tree cache from the index extension. The index itself is read via `git_futils_readbuffer`, which always NUL terminates it. - winhttp transport: user input is being parsed that is always NUL terminated

50d09407

2018-10-29T18:05:27

strntol: fix detection and skipping of base prefixes The `git__strntol` family of functions has the ability to auto-detect a number's base if the string has either the common '0x' prefix for hexadecimal numbers or '0' prefix for octal numbers. The detection of such prefixes and following handling has two major issues though that are being fixed in one go now. - We do not do any bounds checking previous to verifying the '0x' base. While we do verify that there is at least one digit available previously, we fail to verify that there are two digits available and thus may do an out-of-bounds read when parsing this two-character-prefix. - When skipping the prefix of such numbers, we only update the pointer length without also updating the number of remaining bytes. Thus if we try to parse a number '0x1' of total length 3, we will first skip the first two bytes and then try to read 3 bytes starting at '1'. Fix both issues by disentangling the logic. Instead of doing the detection and skipping of such prefixes in one go, we will now first try to detect the base while also honoring how many bytes are left. Only if we have a valid base that is either 8 or 16 and have one of the known prefixes, we will now advance the pointer and update the remaining bytes in one step. Add some tests that verify that no out-of-bounds parsing happens and that autodetection works as advertised.

41863a00

2018-10-29T17:19:58

strntol: fix out-of-bounds read when skipping leading spaces The `git__strntol` family of functions accepts leading spaces and will simply skip them. The skipping will not honor the provided buffer's length, though, which may lead it to read outside of the provided buffer's bounds if it is not a simple NUL-terminated string. Furthermore, if leading space is trimmed, the function will further advance the pointer but not update the number of remaining bytes, which may also lead to out-of-bounds reads. Fix the issue by properly paying attention to the buffer length and updating it when stripping leading whitespace characters. Add a test that verifies that we won't read past the provided buffer length.

623647af

2018-10-26T12:33:59

Merge pull request #4864 from pks-t/pks/object-parse-fixes Object parse fixes

83e8a6b3

2018-10-18T16:08:46

util: provide `git__memmem` function Unfortunately, neither the `memmem` nor the `strnstr` functions are part of any C standard but are merely extensions of C that are implemented by e.g. glibc. Thus, there is no standardized way to search for a string in a block of memory with a limited size, and using `strstr` is to be considered unsafe in case where the buffer has not been sanitized. In fact, there are some uses of `strstr` in exactly that unsafe way in our codebase. Provide a new function `git__memmem` that implements the `memmem` semantics. That is in a given haystack of `n` bytes, search for the occurrence of a byte sequence of `m` bytes and return a pointer to the first occurrence. The implementation chosen is the "Not So Naive" algorithm from [1]. It was chosen as the implementation is comparably simple while still being reasonably efficient in most cases. Preprocessing happens in constant time and space, searching has a time complexity of O(n*m) with a slightly sub-linear average case. [1]: http://www-igm.univ-mlv.fr/~lecroq/string/

ea19efc1

2018-10-18T15:08:56

util: fix out of bounds read in error message When an integer that is parsed with `git__strntol32` is too big to fit into an int32, we will generate an error message that includes the actual string that failed to parse. This does not acknowledge the fact that the string may either not be NUL terminated or alternative include additional characters after the number that is to be parsed. We may thus end up printing characters into the buffer that aren't the number or, worse, read out of bounds. Fix the issue by utilizing the `endptr` that was set by `git__strntol64`. This pointer is guaranteed to be set to the first character following the number, and we can thus use it to compute the width of the number that shall be printed. Create a test to verify that we correctly truncate the number.

39087ab8

2018-10-18T12:11:33

tests: core::strtol: test for some more edge-cases Some edge cases were currently completely untested, e.g. parsing numbers greater than INT64_{MIN,MAX}, truncating buffers by length and invalid characters. Add tests to verify that the system under test performs as expected.

8d7fa88a

2018-10-18T12:04:07

util: remove `git__strtol32` The function `git__strtol32` can easily be misused when untrusted data is passed to it that may not have been sanitized with trailing `NUL` bytes. As all usages of this function have now been removed, we can remove this function altogether to avoid future misuse of it.

68deb2cc

2018-10-18T11:37:10

util: remove unsafe `git__strtol64` function The function `git__strtol64` does not take a maximum buffer length as parameter. This has led to some unsafe usages of this function, and as such we may consider it as being unsafe to use. As we have now eradicated all usages of this function, let's remove it completely to avoid future misuse.

838a2f29

2018-10-07T12:00:48

Merge pull request #4828 from csware/git_futils_rmdir_r_failing Add some more tests for git_futils_rmdir_r and some cleanup

ad273718

2018-10-04T10:32:07

tests: sanitize file hierarchy after running rmdir tests Currently, we do not clean up after ourselves after tests in core::rmdir have created new files in the directory hierarchy. This may leave stale files and/or directories after having run tests, confusing subsequent tests that expect a pristine test environment. Most importantly, it may cause the test initialization to fail which expects being able to re-create the testing hierarchy before each test in case where another test hasn't cleaned up after itself. Fix the issue by adding a cleanup function that removes the temporary testing hierarchy after each test if it still exists.

e886ab46

2018-10-02T19:50:29

tests: Add some more tests for git_futils_rmdir_r Signed-off-by: Sven Strickroth <email@cs-ware.de>

dbb4a586

2018-10-05T10:27:33

tests: fix warning for implicit conversion of integer to pointer GCC warns by default when implicitly converting integers to pointers or the other way round, and commit fa48d2ea7 (vector: do not malloc 0-length vectors on dup, 2018-09-26) introduced such an implicit conversion into our vector tests. While this is totally fine in this test, as the pointer's value is never being used in the first place, we can trivially avoid the warning by instead just inserting a pointer for a variable allocated on the stack into the vector.

ba1cd495

2018-09-28T11:10:49

Merge pull request #4784 from tiennou/fix/warnings Some warnings

fa48d2ea

2018-09-26T19:15:35

vector: do not malloc 0-length vectors on dup

be4717d2

2018-09-18T12:12:06

path: fix "comparison always true" warning

9994cd3f

2018-06-25T11:56:52

treewide: remove use of C++ style comments C++ style comment ("//") are not specified by the ISO C90 standard and thus do not conform to it. While libgit2 aims to conform to C90, we did not enforce it until now, which is why quite a lot of these non-conforming comments have snuck into our codebase. Do a tree-wide conversion of all C++ style comments to the supported C style comments to allow us enforcing strict C90 compliance in a later commit.

ecf4f33a

2018-02-08T11:14:48

Convert usage of `git_buf_free` to new `git_buf_dispose`

e3d764a4

2018-03-29T22:14:12

tests: clarify comment

86219f40

2017-11-30T15:40:13

util: introduce `git__prefixncmp` and consolidate implementations Introduce `git_prefixncmp` that will search up to the first `n` characters of a string to see if it is prefixed by another string. This is useful for examining if a non-null terminated character array is prefixed by a particular substring. Consolidate the various implementations of `git__prefixcmp` around a single core implementation and add some test cases to validate its behavior.

e9369856

2017-03-21T00:25:15

stream: Gather streams to src/streams

08c1b8fc

2017-08-28T21:24:13

cmake: simplify some HTTPS tests

89a34828

2017-06-16T13:34:43

diff: implement function to calculate patch ID The upstream git project provides the ability to calculate a so-called patch ID. Quoting from git-patch-id(1): A "patch ID" is nothing but a sum of SHA-1 of the file diffs associated with a patch, with whitespace and line numbers ignored." Patch IDs can be used to identify two patches which are probably the same thing, e.g. when a patch has been cherry-picked to another branch. This commit implements a new function `git_diff_patchid`, which gets a patch and derives an OID from the diff. Note the different terminology here: a patch in libgit2 are the differences in a single file and a diff can contain multiple patches for different files. The implementation matches the upstream implementation and should derive the same OID for the same diff. In fact, some code has been directly derived from the upstream implementation. The upstream implementation has two different modes to calculate patch IDs, which is the stable and unstable mode. The old way of calculating the patch IDs was unstable in a sense that a different ordering the diffs was leading to different results. This oversight was fixed in git 1.9, but as git tries hard to never break existing workflows, the old and unstable way is still default. The newer and stable way does not care for ordering of the diff hunks, and in fact it is the mode that should probably be used today. So right now, we only implement the stable way of generating the patch ID.

8296da5f

2017-06-14T10:49:28

Merge pull request #4267 from mohseenrm/master adding GIT_FILTER_VERSION to GIT_FILTER_INIT as part of convention

a78441bc

2017-06-13T11:05:40

Adding git_filter_init for initializing `git_filter` struct + unit test

95170294

2017-06-13T11:08:28

tests: core: test initialization of `git_proxy_options` Initialization of the `git_proxy_options` structure is never tested anywhere. Include it in our usual initialization test in "core::structinit::compare".

8a5e7aae

2017-05-22T12:53:44

varint: fix computation for remaining buffer space When encoding varints to a buffer, we want to remain sure that the required buffer space does not exceed what is actually available. Our current check does not do the right thing, though, in that it does not honor that our `pos` variable counts the position down instead of up. As such, we will require too much memory for small varints and not enough memory for big varints. Fix the issue by correctly calculating the required size as `(sizeof(varint) - pos)`. Add a test which failed before.

417319cc

2017-04-25T10:14:37

tests: core::features: only check for HTTPS if it is supported

983979fa

2017-03-22T19:52:38

inet_pton: don't assume addr families don't exist Address family 5 might exist on some crazy system like Haiku. Use `INT_MAX-1` as an unsupported address family.

31059923

2017-03-20T12:16:18

Merge pull request #4169 from csware/absolute-symlink

c10ce7c2

2017-03-20T12:11:05

tests: filebuf: test writing to symlink with absolute paths

d087c8f8

2017-02-24T14:14:56

hash: test for sha1 collision attack detection

40170177

2017-02-25T10:21:59

Fix inet_pton tests triggering an assert in Haiku Haiku will assert in a nightly build if the "dst" input to inet_pton() is NULL.

0d716905

2017-01-27T15:23:15

oidmap: remove GIT__USE_OIDMAP macro

13c3bc9a

2017-01-27T14:32:23

strmap: remove GIT__USE_STRMAP macro

73028af8

2017-01-27T14:20:24

khash: avoid using macro magic to get return address

85d2748c

2017-01-27T14:05:10

khash: avoid using `kh_key`/`kh_val` as lvalue

f31cb45a

2017-01-25T15:31:12

khash: avoid using `kh_put` directly

cb18386f

2017-01-25T14:26:58

khash: avoid using `kh_val`/`kh_value` directly

a853c527

2017-01-25T14:14:32

khash: avoid using `kh_get` directly

64e46dc3

2017-01-25T14:14:12

khash: avoid using `kh_end` directly

9e8d75c7

2017-02-08T11:41:10

path: ensure dirname on Win32 prefix always has a trailing '/' When calling `git_path_dirname_r` on a Win32 prefix, e.g. a drive or network share prefix, we always want to return the trailing '/'. This does not work currently when passing in a path like 'C:', where the '/' would not be appended correctly. Fix this by appending a '/' if we try to normalize a Win32 prefix and there is no trailing '/'.

5d59520c

2017-02-07T20:30:11

path: get correct dirname for Windows root Getting the dirname of a filesystem root should return the filesystem root itself. E.g. the dirname of "/" is always "/". On Windows, we emulate this behavior and as such, we should return e.g. "C:/" if calling dirname on "C:/". But we currently fail to do so and instead return ".", as we do not check if we actually have a Windows prefix before stripping off the last directory component. Fix this by calling out to `win32_prefix_length` immediately after stripping trailing slashes, returning early if we have a prefix.

410855fc

2016-12-17T18:18:30

sysdir: add failing test for variable substitution When given $PATH as part of a search path, we guess again instead of substituting what the user already set.

99479062

2016-11-18T16:50:34

core::init tests: reverse init/shutdown We want a predictable number of initializations in our multithreaded init test, but we also want to make sure that we have _actually_ initialized `git_libgit2_init` before calling `git_thread_create` (since it now has a sanity check that `git_libgit2_init` has been called). Since `git_thread_create` is internal-only, keep this sanity check. Flip the invocation so that we `git_libgit2_init` before our thread tests and `git_libgit2_shutdown` again after.

5fe5557e

2016-11-04T18:18:46

Merge pull request #3974 from libgit2/pks/synchronize-shutdown global: synchronize initialization and shutdown with pthreads

1c33ecc4

2016-11-01T14:30:38

tests: core: test deinitialization and concurrent initialization Exercise the logic surrounding deinitialization of the libgit2 library as well as repeated concurrent de- and reinitialization. This tries to catch races and makes sure that it is possible to reinitialize libgit2 multiple times. After deinitializing libgit2, we have to make sure to setup options required for testing. Currently, this only includes setting up the configuration search path again. Before, this has been set up once in `tests/main.c`.

95fa3880

2016-10-28T16:07:40

pqueue: resolve possible NULL pointer dereference The `git_pqueue` struct allows being fixed in its total number of entries. In this case, we simply throw away items that are inserted into the priority queue by examining wether the new item to be inserted has a higher priority than the previous smallest one. This feature somewhat contradicts our pqueue implementation in that it is allowed to not have a comparison function. In fact, we also fail to check if the comparison function is actually set in the case where we add a new item into a fully filled fixed-size pqueue. As we cannot determine which item is the smallest item in absence of a comparison function, we fix the `NULL` pointer dereference by simply dropping all new items which are about to be inserted into a full fixed-size pqueue.

61ad9bcd

2016-10-27T11:26:52

tests: vector: fix memory leak

36117978

2016-10-06T18:30:30

Fix the existence check for `regcomp_l`. `xlocale.h` only defines `regcomp_l` if `regex.h` was included as well. Also change the test cases to actually test `p_regcomp` works with a multibyte locale.

45dc219f

2016-10-07T16:01:28

Merge pull request #3921 from libgit2/cmn/walk-limit-enough Improve revision walk preparation logic

ab96ca55

2016-10-06T13:15:31

Make sure we use the `C` locale for `regcomp` on macOS.

0bd43371

2016-09-23T12:42:33

vector, pqueue: add git_vector_reverse and git_pqueue_reverse This is a convenience function to reverse the contents of a vector and a pqueue in-place. The pqueue function is useful in the case where we're treating it as a LIFO queue.

aeb5ee5a

2016-05-17T15:40:46

varint: Add varint encoding/decoding This code is ported from git.git Signed-off-by: Junio C Hamano <gitster@pobox.com> Signed-off-by: David Turner <dturner@twopensource.com>

78b500bf

2016-08-04T12:45:19

Merge pull request #3850 from wildart/custom-tls Enable https transport for custom TLS streams

bdec62dc

2016-07-06T13:06:25

remove conditions that prevent use of custom TLS stream

c18a2bc4

2016-07-05T15:51:01

Merge pull request #3851 from txdv/get-user-agent Add get user agent functionality.

f1dba144

2016-07-05T09:41:51

Add get user agent functionality.

70b9b841

2016-06-28T20:19:52

Fixed bug while parsing INT64_MIN

53571f2f

2015-11-21T15:16:01

vector: more sensible names for `grow_at`/`shrink_at`

e564fc65

2015-09-25T12:41:15

git_vector_grow/shrink: correct shrink, and tests

6278fbc5

2015-09-24T09:40:42

patch parsing: squash some memory leaks

b8dc2fdb

2015-07-09T18:36:53

zstream: fail when asked to inflate garbage When we are provided some input buffer (with a length) to inflate, and it contains more data than simply the deflated data, fail. zlib will helpfully tell us when it is done reading (via Z_STREAM_END), so if there is data leftover in the input buffer, fail lest we continually try to inflate it.

5b78dbdb

2015-07-09T13:04:10

git_buf: decode base85 inputs

b88f1713

2015-06-17T08:07:34

zstream: offer inflating, `git_zstream_inflatebuf` Introduce `git_zstream_inflatebuf` for simple uses.

04f47a43

2016-04-06T10:37:30

tests: fix core/stream test when built with openssl off When passing -DUSE_OPENSSL:BOOL=OFF to cmake the testsuite will fail with the following error: core::stream::register_tls [/tmp/libgit2/tests/core/stream.c:40] Function call failed: (error) error -1 - <no message> Fix test to assume failure for tls when built without openssl. While at it also fix GIT_WIN32 cpp to check if it's defined or not.

f5c874a4

2016-03-29T14:47:31

Plug a few leaks

ba6f86eb

2016-03-18T17:33:46

Introduce `git_path_common_dirlen`

e2e4bae9

2016-03-22T00:18:44

tree: drop the now-unnecessary entries vector Remove the now-unnecessary entries vector. Add `git_array_search` to binary search through an array to accomplish this.

6cc4bac8

2016-02-28T11:31:10

Merge pull request #3577 from rossdylan/rossdylan/pooldebug Add a new build flag to disable the pool allocator

7bab2e8f

2016-02-22T23:04:40

git_libgit2_opts: validate key

35439f59

2016-02-11T12:24:21

win32: introduce p_timeval that isn't stupid Windows defines `timeval` with `long`, which we cannot sanely cope with. Instead, use a custom timeval struct.

ed0571f8

2016-01-12T16:08:38

Add a new build flag to disable the pool allocator and pass all git_pool_malloc calls straight to git__malloc

87428c55

2015-11-20T20:48:51

Fix some warnings

7ff7ca62

2015-11-12T20:51:01

pool: Never return unaligned buffers

75a0ccf5

2015-11-12T19:53:09

Merge pull request #3170 from CmdrMoozy/nsec_fix git_index_entry__init_from_stat: set nsec fields in entry stats

2c26c867

2015-11-12T19:22:31

Merge pull request #3499 from ethomson/ref_dir_errmsgs Improve error messages when dirs prevent ref/reflog creation

de870533

2015-10-02T03:43:11

settings: add a setter for a custom user-agent

ec50b23a

2015-11-03T17:02:07

filebuf: detect directories in our way When creating a filebuf, detect a directory that exists in our target file location. This prevents a failure later, when we try to move the lock file to the destination.

7fafde63

2015-10-13T11:25:41

stream: allow registering a user-provided TLS constructor This allows the application to use their own TLS stream, regardless of the capabilities of libgit2 itself.

66eb7660

2015-10-28T10:29:00

pool: Handle 32 bit systems

1e5e02b4

2015-10-27T17:26:04

pool: Simplify implementation

c7b17fb5

2015-10-01T18:01:32

Merge branch 'master' into nsec_fix_next

5c5df666

2015-09-27T23:32:20

Plug some leaks

2be78557

2015-06-02T12:45:30

caps: add test for GIT_FEATURES_NSEC

e24c60db

2015-09-17T09:42:05

mkdir: find component paths for mkdir_relative `git_futils_mkdir` does not blindly call `git_futils_mkdir_relative`. `git_futils_mkdir_relative` is used when you have some base directory and want to create some path inside of it, potentially removing blocking symlinks and files in the process. This is not suitable for a general recursive mkdir within the filesystem. Instead, when `mkdir` is being recursive, locate the first existent parent directory and use that as the base for `mkdir_relative`.

0862ec2e

2015-09-17T09:58:38

core::mkdir tests: ensure we don't stomp symlinks in mkdir In `mkdir` and `mkdir_r`, ensure that we don't try to remove symlinks that are in our way.

08df6630

2015-09-16T18:07:56

core::mkdir tests: include absolute mkdirs

ac2fba0e

2015-09-16T15:07:27

git_futils_mkdir_*: make a relative-to-base mkdir Untangle git_futils_mkdir from git_futils_mkdir_ext - the latter assumes that we own everything beneath the base, as if it were being called with a base of the repository or working directory, and is tailored towards checkout and ensuring that there is no bogosity beneath the base that must be cleaned up. This is (at best) slow and (at worst) unsafe in the larger context of a filesystem where we do not own things and cannot do things like unlink symlinks that are in our way.

2cde210d

2015-09-13T13:52:19

diriter: test we can iterate root Ensure that we can iterate the filesystem root and that paths come back well-formed, not with an additional '/'. (eg, when iterating `c:/`, expect that we do not get some path like `c://autoexec.bat`).

8e736a73

2015-09-08T15:48:44

futils: ensure we can write a hidden file

ea3f2c29

2015-09-08T14:35:53

filebuf: ensure we can lock a hidden file

d83b2e9f

2015-09-05T03:54:06

filebuf: follow symlinks when creating a lock file We create a lockfile to update files under GIT_DIR. Sometimes these files are actually located elsewhere and a symlink takes their place. In that case we should lock and update the file at its final location rather than overwrite the symlink.

ef4857c2

2015-08-03T16:50:27

errors: tighten up git_error_state OOMs a bit more When an error state is an OOM, make sure that we treat is specially and do not try to free it.

988ea594

2015-07-27T10:13:49

Test: check restored oom error points to static buffer

5ef4b860

2015-07-23T13:16:19

Add failing test for capture/restore oom error

19d9beb7

2015-07-24T19:22:41

filebuf: remove lockfile upon rename errors When we have an error renaming the lockfile, we need to make sure that we remove it upon cleanup. For this, we need to keep track of whether we opened the file and whether the rename succeeded. If we did create the lockfile but the rename did not succeed, we remove the lockfile. This won't protect against all errors, but the most common ones (target file is open) does get handled.

668053be

2015-07-24T18:44:29

filebuf: failing test for leaving the lockfile when failing to rename When we fail to rename, we currently leave the lockfile laying around. This shows that behaviour.

e069c621

2015-07-02T09:25:48

git__getenv: utf-8 aware env reader Introduce `git__getenv` which is a UTF-8 aware `getenv` everywhere. Make `cl_getenv` use this to keep consistent memory handling around return values (free everywhere, as opposed to only some platforms).

a6599235

2015-06-24T19:32:56

buffer: make use of EINVALID for growing a borrowed buffer This explains more closely what happens. While here, set an error message.

thodg/libgit2/tests/core

tests/core

Log