summaryrefslogtreecommitdiff
path: root/fuzz-pack-headers.c
diff options
context:
space:
mode:
authorLibravatar Taylor Blau <me@ttaylorr.com>2020-12-03 13:55:18 -0500
committerLibravatar Junio C Hamano <gitster@pobox.com>2020-12-03 12:42:33 -0800
commit8d133f500a5390a089988141cdec8154a732764d (patch)
tree3f22e88f7696eda19ad92285c66a53ad75b6c5e3 /fuzz-pack-headers.c
parentbuiltin/clone.c: don't ignore transport_fetch_refs() errors (diff)
downloadtgif-8d133f500a5390a089988141cdec8154a732764d.tar.xz
upload-pack.c: don't free allowed_filters util pointers
To keep track of which object filters are allowed or not, 'git upload-pack' stores the name of each filter in a string_list, and sets it ->util pointer to be either 0 or 1, indicating whether it is banned or allowed. Later on, we attempt to clear that list, but we incorrectly ask for the util pointers to be free()'d, too. This behavior (introduced back in 6dd3456a8c (upload-pack.c: allow banning certain object filter(s), 2020-08-03)) leads to an invalid free, and causes us to crash. In order to trigger this, one needs to fetch from a server that (a) has at least one object filter allowed, and (b) issue a fetch that contains a subset of the allowed filters (i.e., we cannot ask for a banned filter, since this causes us to die() before we hit the bogus string_list_clear()). In that case, whatever banned filters exist will cause a noop free() (since those ->util pointers are set to 0), but the first allowed filter we try to free will crash us. We never noticed this in the tests because we didn't have an example of setting 'uploadPackFilter' configuration variables and then following up with a valid fetch. The first new 'git clone' prevents further regression here. For good measure on top, add a test which checks the same behavior at a tree depth greater than 0. Signed-off-by: Taylor Blau <me@ttaylorr.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'fuzz-pack-headers.c')
0 files changed, 0 insertions, 0 deletions