diff options
| author |  Jeff King <peff@peff.net> | 2017-10-05 01:59:52 -0400 |
|---|---|---|
| committer |  Junio C Hamano <gitster@pobox.com> | 2017-10-06 13:04:41 +0900 |
| commit | b3ea7dd32d6f8dc117b782ec5ca54ef8f65280c9 (patch) | |
| tree | 7a13a3855824e55dbf37d8b1158bc8152d87202a | |
| parent | Git 2.14.2 (diff) | |
| download | tgif-b3ea7dd32d6f8dc117b782ec5ca54ef8f65280c9.tar.xz | |
sha1_loose_object_info: handle errors from unpack_sha1_rest
When a caller of sha1_object_info_extended() sets the
"contentp" field in object_info, we call unpack_sha1_rest()
but do not check whether it signaled an error.
This causes two problems:
1. We pass back NULL to the caller via the contentp field,
but the function returns "0" for success. A caller
might reasonably expect after a successful return that
it can access contentp without a NULL check and
segfault.
As it happens, this is impossible to trigger in the
current code. There is exactly one caller which uses
contentp, read_object(). And the only thing it does
after a successful call is to return the content
pointer to its caller, using NULL as a sentinel for
errors. So in effect it converts the success code from
sha1_object_info_extended() back into an error!
But this is still worth addressing avoid problems for
future users of "contentp".
2. Callers of unpack_sha1_rest() are expected to close the
zlib stream themselves on error. Which means that we're
leaking the stream.
The problem in (1) comes from from c84a1f3ed4 (sha1_file:
refactor read_object, 2017-06-21), which added the contentp
field. Before that, we called unpack_sha1_rest() via
unpack_sha1_file(), which directly used the NULL to signal
an error.
But note that the leak in (2) is actually older than that.
The original unpack_sha1_file() directly returned the result
of unpack_sha1_rest() to its caller, when it should have
been closing the zlib stream itself on error.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
| -rw-r--r-- | sha1_file.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/sha1_file.c b/sha1_file.c index 4fa4b185f3..8548d29d88 100644 --- a/sha1_file.c +++ b/sha1_file.c @@ -2963,10 +2963,14 @@ static int sha1_loose_object_info(const unsigned char *sha1, } else if ((status = parse_sha1_header_extended(hdr, oi, flags)) < 0) status = error("unable to parse %s header", sha1_to_hex(sha1)); - if (status >= 0 && oi->contentp) + if (status >= 0 && oi->contentp) { *oi->contentp = unpack_sha1_rest(&stream, hdr, *oi->sizep, sha1); - else + if (!*oi->contentp) { + git_inflate_end(&stream); + status = -1; + } + } else git_inflate_end(&stream); munmap(map, mapsize); |