|
415a8ae9
|
2018-09-13T13:27:07
|
|
tests: don't run buf::oom on 32-bit systems
On a 32-bit Linux systems, the value large enough to make malloc
guarantee a failure is also large enough that valgrind considers it
"fishy". Skip this test on those systems entirely.
|
|
7c791f3d
|
2018-10-20T20:25:51
|
|
Merge pull request #4852 from libgit2/ethomson/unc_paths
Win32 path canonicalization refactoring
|
|
6cc14ae3
|
2018-10-20T20:22:04
|
|
Merge pull request #4840 from libgit2/cmn/validity-tree-from-unowned-index
Check object existence when creating a tree from an index
|
|
a2f9f94b
|
2018-10-20T20:18:04
|
|
Merge branch 'issue-4203'
|
|
c79e6081
|
2018-10-20T19:08:16
|
|
checkout: fix test fixture missing objects
The testrepo test fixture has an index file that's damaged, missing an
object. The index previously had an entry of `src/index.c` with id
3161df8cbf3a006b4ef85be6497a0ea6bde98541, but that object was missing in
the repository. This commit adds an object to the repository and
updates the index to use that existing blob.
Similarly, the index has an entry for `readme` with an id of
97328ac7e3bd0bcd3900cb3e7a624d71dd0df888. This can be restored from
other test repositories.
With these fixed, now the write tree from index tests can pass since they
validate object existence.
|
|
16fd9ba9
|
2018-10-17T11:34:38
|
|
win32: more tests for `git_win32_remove_path`
|
|
b2e85f98
|
2018-10-17T08:48:43
|
|
win32: rename `git_win32__canonicalize_path`
The internal API `git_win32__canonicalize_path` is far, far too easily
confused with the internal API `git_win32_path_canonicalize`. The
former removes the namespace prefix from a path (eg, given
`\\?\C:\Temp\foo`, it returns `C:\Temp\foo`, and given
`\\?\UNC\server\share`, it returns `\\server\share`). As such, rename
it to `git_win32_path_remove_namespace`.
`git_win32_path_canonicalize` remains unchanged.
|
|
1cbc9604
|
2018-09-28T10:57:50
|
|
config: add failing test for no newline after section header
|
|
814e7acb
|
2018-10-12T12:38:06
|
|
Merge pull request #4842 from nelhage/fuzz-config-memory
config: Port config_file_fuzzer to the new in-memory backend.
|
|
2d449a11
|
2018-10-09T02:42:14
|
|
config: Refactor `git_config_backend_from_string` to take a length
|
|
fbc0dcda
|
2018-10-08T13:01:23
|
|
index: add failing test for writing an invalid tree from an unowned index
When the index does not belong to any repository, we do not do any checks of the
target id going in as we cannot verify that it exists.
When we then write it out to a repository as a tree, we fail to perform the
object existance and type-matching check that we do in other code-paths. This
leads to being able to write trees which point to non-existent blobs even with
strict object creation enabled.
|
|
838a2f29
|
2018-10-07T12:00:48
|
|
Merge pull request #4828 from csware/git_futils_rmdir_r_failing
Add some more tests for git_futils_rmdir_r and some cleanup
|
|
0cd976c8
|
2018-10-07T12:00:06
|
|
Merge pull request #4830 from pks-t/pks/diff-stats-rename-common
diff_stats: use git's formatting of renames with common directories
|
|
a8d447f6
|
2018-10-05T20:13:34
|
|
Merge pull request #4837 from pks-t/cmn/reject-option-submodule-url-path
submodule: ignore path and url attributes if they look like options
|
|
ce8803a2
|
2018-10-05T20:03:38
|
|
Merge pull request #4836 from pks-t/pks/smart-packets
Smart packet security fixes
|
|
84d6f439
|
2018-10-05T19:53:22
|
|
Merge pull request #4832 from pks-t/pks/config-includes-null-deref
config_file: properly ignore includes without "path" value
|
|
4e0bdaa8
|
2018-10-05T11:42:00
|
|
submodule: add failing test for option-injection protection in url and path
|
|
ad273718
|
2018-10-04T10:32:07
|
|
tests: sanitize file hierarchy after running rmdir tests
Currently, we do not clean up after ourselves after tests in core::rmdir
have created new files in the directory hierarchy. This may leave stale
files and/or directories after having run tests, confusing subsequent
tests that expect a pristine test environment. Most importantly, it may
cause the test initialization to fail which expects being able to
re-create the testing hierarchy before each test in case where another
test hasn't cleaned up after itself.
Fix the issue by adding a cleanup function that removes the temporary
testing hierarchy after each test if it still exists.
|
|
e886ab46
|
2018-10-02T19:50:29
|
|
tests: Add some more tests for git_futils_rmdir_r
Signed-off-by: Sven Strickroth <email@cs-ware.de>
|
|
d06d4220
|
2018-10-05T10:56:02
|
|
config_file: properly ignore includes without "path" value
In case a configuration includes a key "include.path=" without any
value, the generated configuration entry will have its value set to
`NULL`. This is unexpected by the logic handling includes, and as soon
as we try to calculate the included path we will unconditionally
dereference that `NULL` pointer and thus segfault.
Fix the issue by returning early in both `parse_include` and
`parse_conditional_include` in case where the `file` argument is `NULL`.
Add a test to avoid future regression.
The issue has been found by the oss-fuzz project, issue 10810.
|
|
bf662f7c
|
2018-10-05T10:55:29
|
|
tests: always unlink created config files
While our tests in config::include create a plethora of configuration
files, most of them do not get removed at the end of each test. This can
cause weird interactions with tests that are being run at a later stage
if these later tests try to create files or directories with the same
name as any of the created configuration files.
Fix the issue by unlinking all created files at the end of these tests.
|
|
dbb4a586
|
2018-10-05T10:27:33
|
|
tests: fix warning for implicit conversion of integer to pointer
GCC warns by default when implicitly converting integers to pointers or
the other way round, and commit fa48d2ea7 (vector: do not malloc
0-length vectors on dup, 2018-09-26) introduced such an implicit
conversion into our vector tests. While this is totally fine in this
test, as the pointer's value is never being used in the first place, we
can trivially avoid the warning by instead just inserting a pointer for
a variable allocated on the stack into the vector.
|
|
3f096ca5
|
2018-10-04T13:03:25
|
|
Fix comment style and update test code
|
|
e5090ee3
|
2018-10-04T11:19:28
|
|
diff_stats: use git's formatting of renames with common directories
In cases where a file gets renamed such that the directories containing
it previous and after the rename have a common prefix, then git will
avoid printing this prefix twice and instead format the rename as
"prefix/{old => new}". We currently didn't do anything like that, but
simply printed "prefix/old -> prefix/new".
Adjust our behaviour to instead match upstream. Adjust the test for this
behaviour to expect the new format.
|
|
3148efd2
|
2018-10-04T11:13:57
|
|
tests: verify diff stats with renames in subdirectory
Until now, we didn't have any tests that verified that our format for
renames in subdirectories is correct. While our current behaviour is no
different than for renames that do not happen with a common prefix
shared between old and new file name, we intend to change the format to
instead match the format that upstream git uses.
Add a test case for this to document our current behaviour and to show
how the next commit will change that format.
|
|
0b3dfbf4
|
2018-08-09T11:13:59
|
|
smart_pkt: reorder and rename parameters of `git_pkt_parse_line`
The parameters of the `git_pkt_parse_line` function are quite confusing.
First, there is no real indicator what the `out` parameter is actually
all about, and it's not really clear what the `bufflen` parameter refers
to. Reorder and rename the parameters to make this more obvious.
|
|
a9f1ca09
|
2018-08-09T11:01:00
|
|
smart_pkt: fix buffer overflow when parsing "ok" packets
There are two different buffer overflows present when parsing "ok"
packets. First, we never verify whether the line already ends after
"ok", but directly go ahead and also try to skip the expected space
after "ok". Second, we then go ahead and use `strchr` to scan for the
terminating newline character. But in case where the line isn't
terminated correctly, this can overflow the line buffer.
Fix the issues by using `git__prefixncmp` to check for the "ok " prefix
and only checking for a trailing '\n' instead of using `memchr`. This
also fixes the issue of us always requiring a trailing '\n'.
Reported by oss-fuzz, issue 9749:
Crash Type: Heap-buffer-overflow READ {*}
Crash Address: 0x6310000389c0
Crash State:
ok_pkt
git_pkt_parse_line
git_smart__store_refs
Sanitizer: address (ASAN)
|
|
bc349045
|
2018-08-09T10:38:10
|
|
smart_pkt: fix buffer overflow when parsing "ACK" packets
We are being quite lenient when parsing "ACK" packets. First, we didn't
correctly verify that we're not overrunning the provided buffer length,
which we fix here by using `git__prefixncmp` instead of
`git__prefixcmp`. Second, we do not verify that the actual contents make
any sense at all, as we simply ignore errors when parsing the ACKs OID
and any unknown status strings. This may result in a parsed packet
structure with invalid contents, which is being silently passed to the
caller. This is being fixed by performing proper input validation and
checking of return codes.
|
|
365d2720
|
2018-10-03T15:39:40
|
|
tests: verify parsing logic for smart packets
The commits following this commit are about to introduce quite a lot of
refactoring and tightening of the smart packet parser. Unfortunately, we
do not yet have any tests despite our online tests that verify that our
parser does not regress upon changes. This is doubly unfortunate as our
online tests aren't executed by default.
Add new tests that exercise the smart parsing logic directly by
executing `git_pkt_parse_line`.
|
|
8ab11dd5
|
2018-09-30T16:40:22
|
|
Fix issue with path canonicalization for Win32 paths
|
|
1621a37d
|
2018-09-29T13:22:59
|
|
Merge pull request #4812 from libgit2/ethomson/ci-refactor
CI: refactoring
|
|
0530d7d9
|
2018-09-28T18:04:23
|
|
Merge pull request #4767 from pks-t/pks/config-mem
In-memory configuration
|
|
2be39cef
|
2018-08-10T19:38:57
|
|
config: introduce new read-only in-memory backend
Now that we have abstracted away how to store and retrieve config
entries, it became trivial to implement a new in-memory backend by
making use of this. And thus we do so.
This commit implements a new read-only in-memory backend that can parse
a chunk of memory into a `git_config_backend` structure.
|
|
b944e137
|
2018-08-10T13:03:33
|
|
config: rename "config_file.h" to "config_backend.h"
The header "config_file.h" has a list of inline-functions to access the
contents of a config backend without directly messing with the struct's
function pointers. While all these functions are called
"git_config_file_*", they are in fact completely backend-agnostic and
don't care whether it is a file or not. Rename all the function to
instead be backend-agnostic versions called "git_config_backend_*" and
rename the header to match.
|
|
ba1cd495
|
2018-09-28T11:10:49
|
|
Merge pull request #4784 from tiennou/fix/warnings
Some warnings
|
|
367f6243
|
2018-09-28T11:04:06
|
|
Merge pull request #4803 from tiennou/fix/4802
index: release the snapshot instead of freeing the index
|
|
fa48d2ea
|
2018-09-26T19:15:35
|
|
vector: do not malloc 0-length vectors on dup
|
|
be4717d2
|
2018-09-18T12:12:06
|
|
path: fix "comparison always true" warning
|
|
e84914fd
|
2018-09-20T20:11:36
|
|
online::clone: free url and username before resetting
Before resetting the url and username, ensure that we free them in case
they were set by environment variables.
|
|
943181c2
|
2018-09-10T12:36:51
|
|
Revert "clar: introduce CLAR_XML option"
This reverts commit a2d73f5643814cddf90d5bf489332e14ada89ab8.
Using clar to propagate the XML settings was a mistake.
|
|
d17e67d0
|
2018-09-08T18:54:21
|
|
clar: iterate errors in report_all / report_errors
Instead of trying to have a clever iterator pattern that increments the
error number, just iterate over errors in the report errors or report
all functions as it's easier to reason about in this fashion.
|
|
e595eeb5
|
2018-08-27T01:06:37
|
|
ci: use more compatible strftime formats
Windows lacks %F and %T formats for strftime. Expand them to the
year/month/day and hour/minute/second formats, respectively.
|
|
b67a93ff
|
2018-09-04T14:00:49
|
|
clar: remove globals; error-check fprintf/fclose
Remove the global summary filename and file pointer; pass them in to the
summary functions as needed. Error check the results of buffered I/O
calls.
|
|
a2d73f56
|
2018-08-24T11:23:19
|
|
clar: introduce CLAR_XML option
Introduce a CLAR_XML option, to run the `ctest` commands with the new
`-r` flag to clar. Permitted values are `OFF`, `ON` and a directory to
write the XML test results to.
|
|
baa5c20d
|
2018-08-26T15:31:14
|
|
clar: accept a value for the summary filename
Accept an (optional) value for the summary filename. Continues to
default to summary.xml.
|
|
dbebcb04
|
2018-08-26T15:25:15
|
|
clar: don't use a variable named `time`
|
|
59f1e477
|
2018-07-27T23:00:09
|
|
Barebones JUnit XML output
|
|
3a9b9631
|
2018-07-26T23:02:34
|
|
Documentation
|
|
bf9fc126
|
2018-07-26T23:02:20
|
|
Isolate test reports
This makes it possible to keep track of every test status (even
successful ones), and their errors, if any.
|
|
90753a96
|
2018-08-26T15:11:21
|
|
clar: refactor explicitly run test behavior
Previously, supplying `-s` to explicitly enable some test(s) would run
the tests immediately from the argument parser. This forces us to set
up the entire clar environment (for example: sandboxing) before argument
parsing takes place.
Refactor the behavior of `-s` to add the explicitly chosen tests to a
list that is executed later. This untangles the argument parsing from
the setup lifecycle, allowing us to use the arguments to perform the
setup.
|
|
85eb2cb6
|
2018-08-26T11:33:42
|
|
Merge pull request #4727 from libgit2/cmn/null-oid-existing-tree
tree: accept null ids in existing trees when updating
|
|
50186ce8
|
2018-08-26T11:26:45
|
|
Merge pull request #4374 from pks-t/pks/pack-file-verify
Pack file verification
|
|
fd7ab1d7
|
2018-08-24T09:47:09
|
|
Merge pull request #4776 from pks-t/pks/test-index-invalid-filemode
tests: verify adding index conflicts with invalid filemodes fails
|
|
503af775
|
2018-08-24T10:08:09
|
|
Merge pull request #4769 from tiennou/fix/worktree-unlock
worktree: unlock should return 1 when the worktree isn't locked
|
|
3a1f5df8
|
2018-08-24T09:15:29
|
|
tests: verify adding index conflicts with invalid filemodes fails
Commit 581d5492f (Fix leak in index.c, 2018-08-16) was fixing a memory
leak in our code adding conflicts to the index when the added index
entries have an invalid file mode. The memory leak was previously
undiscovered as there are no tests covering this scenario, which is now
being added by this commit.
|
|
cada553c
|
2018-08-19T15:54:10
|
|
Merge pull request #4754 from libgit2/ethomson/threads
threads::diff: use separate git_repository objects
|
|
2afd0185
|
2018-08-19T12:57:29
|
|
threads::iterator: use separate repository objects
Our thread policies state that we cannot re-use the `git_repository`
across threads. Our tests cannot deviate from that.
Courtesy of Ximin Luo, https://github.com/infinity0:
https://github.com/libgit2/libgit2/issues/4753#issuecomment-412247757
|
|
59c2e70e
|
2018-08-17T00:51:51
|
|
worktree: unlock should return 1 when the worktree isn't locked
The documentation states that git_worktree_unlock returns 0 on success,
and 1 on success if the worktree wasn't locked. Turns out we were
returning 0 in any of those cases.
|
|
6698e056
|
2018-08-14T04:22:14
|
|
Fix the test and comment.
|
|
f1409500
|
2018-08-14T03:54:01
|
|
Write a test.
|
|
d1919485
|
2018-08-05T11:01:14
|
|
threads::diff: use separate git_repository objects
Our thread policies state that we cannot re-use the `git_repository`
across threads. Our tests cannot deviate from that.
|
|
f00db9ed
|
2018-07-27T12:00:37
|
|
tree: rename from_tree to validate and clarify the tree in the test
|
|
219512e7
|
2018-07-20T14:14:16
|
|
buf tests: allocate a smaller size for the oom
On Linux (where we run valgrind) allocate a smaller buffer, but still an
insanely large size. This will cause malloc to fail but will not cause
valgrind to report a likely error with a negative-sized malloc.
Keep the original buffer size on non-Linux platforms: this is
well-tested on them and changing it may be problematic. On macOS, for
example, using the new size causes `malloc` to print a warning to
stderr.
|
|
ce798b25
|
2018-07-04T10:56:56
|
|
tests: simplify cmake test configuration
Simplify the names for the tests, removing the unnecessary
"libgit2-clar" prefix. Make "all" the new default test run, and include
the online tests by default (since HTTPS should always be enabled).
For the CI tests, create an offline-only test, then the various online
tests.
|
|
d285de73
|
2018-07-20T21:52:24
|
|
push tests: deeply free the specs
Don't just free the spec vector, also free the specs themselves.
|
|
dad99881
|
2018-07-20T21:51:36
|
|
push tests: deeply free the push status
Don't just free the push status structure, actually free the strings that were
strdup'd into the struct as well.
|
|
0652abaa
|
2018-07-20T12:56:49
|
|
Merge pull request #4702 from tiennou/fix/coverity
Assorted Coverity fixes
|
|
2dff7e28
|
2018-07-18T21:04:13
|
|
tree: accept null ids in existing trees when updating
When we add entries to a treebuilder we validate them. But we validate even
those that we're adding because they exist in the base tree. This disables
using the normal mechanisms on these trees, even to fix them.
Keep track of whether the entry we're appending comes from an existing tree and
bypass the name and id validation if it's from existing data.
|
|
e1a4a8eb
|
2018-06-25T11:58:34
|
|
cmake: enforce C90 standard
While the aim of libgit2 was to conform to C90 code, we never instructed
the compiler to enforce C90 compliance. Thus, quite a few violations
were able to get into our code base, which have been removed with the
previous commits. As we are now able to build libgit2 with C90 enforced,
we can set the C_STANDARD property for our own build targets.
Note that we explicitly avoid setting the C standard for our third-party
dependencies. At least the zlib target does not build with C90 enforced,
and we do not want to fix them by deviating from upstream. Thus we
simply enforce no standard for them.
|
|
c13e56f9
|
2018-06-25T14:12:53
|
|
cmake: distinguish internal and system include directories
While we want to enforce strict C90 mode, this may cause issues with
system provided header files which are themselves not strictly
conforming. E.g. if a system header has C++ style comments, a compiler
in strict C90 mode would produce an error and abort the build. As the
user most likely doesn't want to change the system header, this would
completely break the build on such systems. One example of this is
mbedtls, which provides such header files.
The problem can be worked around by distinguishing between
system-provided and project-provided include directories. When adding
include directories via "-isystem" instead of "-I", the compiler will
skip certain checks and print out less warnings. To use system includes,
we can simply add the "SYSTEM" flag to CMake's `INCLUDE_DIRECTORIES` and
`TARGET_INCLUDE_DIRECTORIES` functions. Note that we have to split the
include directories into two variables because of this, as we definitely
still want to check for all warnings produced by our own header files.
|
|
9994cd3f
|
2018-06-25T11:56:52
|
|
treewide: remove use of C++ style comments
C++ style comment ("//") are not specified by the ISO C90 standard and
thus do not conform to it. While libgit2 aims to conform to C90, we did
not enforce it until now, which is why quite a lot of these
non-conforming comments have snuck into our codebase. Do a tree-wide
conversion of all C++ style comments to the supported C style comments
to allow us enforcing strict C90 compliance in a later commit.
|
|
6dfc8bc2
|
2018-07-09T23:10:05
|
|
Merge pull request #4719 from pks-t/pks/delta-oob
Delta OOB access
|
|
89091d36
|
2018-07-06T20:24:21
|
|
tests: fix a relative pathname issue
The path given to `git_index_add_bypath` is relative to the root of the
repository. That `describe/file` path is relative to the root of the
sandbox directory, hence if I add the missing `cl_git_pass` I rightfully
get an error that `$SANDBOX/describe/describe/file doesn't exist`.
The path is thus changed to be made relative to the repository, which
makes the failure go away and "restore" the test.
|
|
8455a270
|
2018-07-01T12:04:27
|
|
tests: add missing cl_git_pass to tests
Reported by Coverity, CID 1393678-1393697.
|
|
17bd3b96
|
2018-06-19T20:15:49
|
|
tests: mailmap/parsing: add a missing cl_git_pass
Reported by Coverity, CID 1393483
|
|
f4633791
|
2018-07-06T12:36:05
|
|
Merge pull request #4687 from tiennou/fix/4672
patch_parse: populate line numbers while parsing diffs
|
|
f2a1cece
|
2018-07-06T11:25:47
|
|
Merge pull request #4686 from tiennou/fix/more-worktree-from-bare
Fix git_worktree_validate failing on bare repositories
|
|
8a00de08
|
2018-07-06T10:47:06
|
|
Merge pull request #4699 from nelhage/fetch-null-dst
git_refspec_transform: Handle NULL dst
|
|
c43658f6
|
2018-06-30T13:24:23
|
|
Merge pull request #4536 from libgit2/ethomson/index_dirty
Add a "dirty" state to the index when it has unsaved changes
|
|
ff8edac9
|
2018-06-29T16:18:36
|
|
formatting fix
|
|
bfa1f022
|
2018-06-22T19:17:08
|
|
settings: optional unsaved index safety
Add the `GIT_OPT_ENABLE_UNSAVED_INDEX_SAFETY` option, which will cause
commands that reload the on-disk index to fail if the current
`git_index` has changed that have not been saved. This will prevent
users from - for example - adding a file to the index then calling a
function like `git_checkout` and having that file be silently removed
from the index since it was re-read from disk.
Now calls that would re-read the index will fail if the index is
"dirty", meaning changes have been made to it but have not been written.
Users can either `git_index_read` to discard those changes explicitly,
or `git_index_write` to write them.
|
|
787768c2
|
2018-06-22T19:07:54
|
|
index: return a unique error code on dirty index
When the index is dirty, return GIT_EINDEXDIRTY so that consumers can
identify the exact problem programatically.
|
|
5e26391a
|
2018-06-18T18:28:08
|
|
checkout: FORCE doesn't halt on dirty index
If the index is dirty, allow `GIT_CHECKOUT_FORCE` to obliterate unsaved
changes. This is in keeping with its name and description.
|
|
b242cdbf
|
2017-11-17T00:19:07
|
|
index: commit the changes to the index properly
Now that the index has a "dirty" state, where it has changes that have
not yet been committed or rolled back, our tests need to be adapted to
actually commit or rollback the changes instead of assuming that the
index can be operated on in its indeterminate state.
|
|
dc4a18c7
|
2017-11-12T08:23:13
|
|
index: test dirty index bit
Test that any changes to the index will mark the index as dirty. Also
ensure that when we initialize a new index, read the index contents
from disk, or write the index contents to disk that we reset the dirty
flag to zero. Further ensure that an unforced read with dirty contents
(when the on-disk index has not changed) does _not_ reset the dirty
flag as we have not updated the contents of our index and our unsaved
contents remain intact.
|
|
55a96606
|
2018-06-18T16:14:26
|
|
checkout tests: validate GIT_CHECKOUT_NO_REFRESH
Add tests that ensure that we re-read the on-disk image by default
during checkout, but when the `GIT_CHECKOUT_NO_REFRESH` option is
specified, we do _not_ re-read the index.
|
|
8356bf7e
|
2018-06-29T14:39:14
|
|
tests: worktree/bare: test some paths
|
|
d0921127
|
2018-06-29T14:39:13
|
|
tests: add a helper to build sandbox subpaths quickly
|
|
83c35f7e
|
2018-06-29T14:39:11
|
|
tests: worktree/bare: fix git_worktree_validate
|
|
bd40f0d7
|
2018-06-29T14:39:10
|
|
tests: worktree/bare: check git_worktree_list
|
|
7e3c13e0
|
2018-06-29T14:39:08
|
|
tests: worktree/bare: gather all tests
|
|
af3088e4
|
2018-06-29T11:45:15
|
|
refspec: rename `git_refspec__free` to `git_refspec__dispose`
Since commit 630a67366 (refspec: add public parsing api, 2018-02-07), we
now have two functions `git_refspec_free` and `git_refspec__free`. The
difference is that the first one will free the structure itself, while
the second one will only free the structure's contents. Use our new
`dispose` naming pattern for the latter function to help avoid
confusion.
|
|
7192e26f
|
2018-06-29T09:43:33
|
|
Merge pull request #4519 from cynecx/refspec-parsing
refspec: add public parsing api
|
|
24597812
|
2018-06-29T09:11:02
|
|
delta: fix out-of-bounds read of delta
When computing the offset and length of the delta base, we repeatedly
increment the `delta` pointer without checking whether we have advanced
past its end already, which can thus result in an out-of-bounds read.
Fix this by repeatedly checking whether we have reached the end. Add a
test which would cause Valgrind to produce an error.
Reported-by: Riccardo Schirone <rschiron@redhat.com>
Test-provided-by: Riccardo Schirone <rschiron@redhat.com>
|
|
7db25870
|
2018-06-29T07:45:18
|
|
delta: fix sign-extension of big left-shift
Our delta code was originally adapted from JGit, which itself adapted it
from git itself. Due to this heritage, we inherited a bug from git.git
in how we compute the delta offset, which was fixed upstream in
48fb7deb5 (Fix big left-shifts of unsigned char, 2009-06-17). As
explained by Linus:
Shifting 'unsigned char' or 'unsigned short' left can result in sign
extension errors, since the C integer promotion rules means that the
unsigned char/short will get implicitly promoted to a signed 'int' due to
the shift (or due to other operations).
This normally doesn't matter, but if you shift things up sufficiently, it
will now set the sign bit in 'int', and a subsequent cast to a bigger type
(eg 'long' or 'unsigned long') will now sign-extend the value despite the
original expression being unsigned.
One example of this would be something like
unsigned long size;
unsigned char c;
size += c << 24;
where despite all the variables being unsigned, 'c << 24' ends up being a
signed entity, and will get sign-extended when then doing the addition in
an 'unsigned long' type.
Since git uses 'unsigned char' pointers extensively, we actually have this
bug in a couple of places.
In our delta code, we inherited such a bogus shift when computing the
offset at which the delta base is to be found. Due to the sign extension
we can end up with an offset where all the bits are set. This can allow
an arbitrary memory read, as the addition in `base_len < off + len` can
now overflow if `off` has all its bits set.
Fix the issue by casting the result of `*delta++ << 24UL` to an unsigned
integer again. Add a test with a crafted delta that would actually
succeed with an out-of-bounds read in case where the cast wouldn't
exist.
Reported-by: Riccardo Schirone <rschiron@redhat.com>
Test-provided-by: Riccardo Schirone <rschiron@redhat.com>
|
|
7330ae67
|
2018-06-26T10:45:57
|
|
index::addall tests: write the index
When running `git_index_add_all`, we should write the index to disk so
that we can re-read it safely during status.
|
|
08ea0d7d
|
2018-02-18T11:49:08
|
|
index::reuc tests: test that checkout succeeds
The index::reuc tests must test that the checkout itself succeeds,
otherwise subsequent tests are not valid.
In fact, the checkouts were failing because when checking out `SAFE`,
they cannot update the files that are in conflict. Change the checkout
level to `FORCE` to ensure that they get updated correctly.
|
|
c4ce017f
|
2018-02-18T22:27:34
|
|
index::names tests: add conflicts with high stages
We add entries into the main index to correspond with the NAME entries
that we're going to test. NAME entries store the results of conflicts
occuring with rename detection during merge, and they must correspond to
conflicts in the index.
This test was mistakenly adding regular entries. The checkout
validation failed, since it requires NAME entries to correspond to
high-stage (conflict) entries. Correct the test to actually create
conflicts.
|
|
46c9f26f
|
2018-06-25T15:47:31
|
|
Add a test.
Verified that this breaks before the fix and passes afterwards.
|
|
4fd81c53
|
2018-06-18T19:43:53
|
|
Clear revwalk sorting when resetting
Currently we fail to clear the sorting flag for revwalks when resetting.
This caused a poor interaction with the limited flag during a recent
patch. This patch clears the revwalk sorting flag and causes it to no
longer persist over resets.
|