summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2017-03-30convert unchecked snprintf into xsnprintfLibravatar Jeff King5-11/+11
These calls to snprintf should always succeed, because their input is small and fixed. Let's use xsnprintf to make sure this is the case (and to make auditing for actual truncation easier). These could be candidates for turning into heap buffers, but they fall into a few broad categories that make it not worth doing: - formatting single numbers is simple enough that we can see the result should fit - the size of a sha1 is likewise well-known, and I didn't want to cause unnecessary conflicts with the ongoing process to convert these constants to GIT_MAX_HEXSZ - the interface for curl_errorstr is dictated by curl Signed-off-by: Jeff King <peff@peff.net>
2017-03-30combine-diff: replace malloc/snprintf with xstrfmtLibravatar Jeff King1-3/+4
There's no need to use the magic "100" when a strbuf can do it for us. Signed-off-by: Jeff King <peff@peff.net>
2017-03-30replace unchecked snprintf calls with heap buffersLibravatar Jeff King4-14/+17
We'd prefer to avoid unchecked snprintf calls because truncation can lead to unexpected results. These are all cases where truncation shouldn't ever happen, because the input to snprintf is fixed in size. That makes them candidates for xsnprintf(), but it's simpler still to just use the heap, and then nobody has to wonder if "100" is big enough. We'll use xstrfmt() where possible, and a strbuf when we need the resulting size or to reuse the same buffer in a loop. Signed-off-by: Jeff King <peff@peff.net>
2017-03-30receive-pack: print --pack-header directly into argv arrayLibravatar Jeff King1-7/+10
After receive-pack reads the pack header from the client, it feeds the already-read part to index-pack and unpack-objects via their --pack-header command-line options. To do so, we format it into a fixed buffer, then duplicate it into the child's argv_array. Our buffer is long enough to handle any possible input, so this isn't wrong. But it's more complicated than it needs to be; we can just argv_array_pushf() the final value and avoid the intermediate copy. This drops the magic number and is more efficient, too. Note that we need to push to the argv_array in order, which means we can't do the push until we are in the "unpack-objects versus index-pack" conditional. Rather than duplicate the slightly complicated format specifier, I pushed it into a helper function. Signed-off-by: Jeff King <peff@peff.net>
2017-03-30name-rev: replace static buffer with strbufLibravatar Jeff King1-9/+12
When name-rev needs to format an actual name, we do so into a fixed-size buffer. That includes the actual ref tip, as well as any traversal information. Since refs can exceed 1024 bytes, this means you can get a bogus result. E.g., doing: git tag $(perl -e 'print join("/", 1..1024)') git describe --contains HEAD^ results in ".../282/283", when it should be ".../1023/1024~1". We can solve this by using a heap buffer. We'll use a strbuf, which lets us write into the same buffer from our loop without having to reallocate. Signed-off-by: Jeff King <peff@peff.net>
2017-03-30create_branch: use xstrfmt for reflog messageLibravatar Jeff King1-5/+4
We generate a reflog message that contains some fixed text plus a branch name, and use a buffer of size PATH_MAX + 20. This mostly works if you assume that refnames are shorter than PATH_MAX, but: 1. That's not necessarily true. PATH_MAX is not always the filesystem's limit. 2. The "20" is not sufficiently large for the fixed text anyway. Let's just switch to a heap buffer so we don't have to even care. Signed-off-by: Jeff King <peff@peff.net>
2017-03-30create_branch: move msg setup closer to point of useLibravatar Jeff King1-8/+9
In create_branch() we write the reflog msg into a buffer in the main function, but then use it only inside a conditional. If you carefully follow the logic, you can confirm that we never use the buffer uninitialized nor write when it would not be used. But we can make this a lot more obvious by simply moving the write step inside the conditional. Signed-off-by: Jeff King <peff@peff.net>
2017-03-30avoid using mksnpath for refsLibravatar Jeff King1-18/+26
Like the previous commit, we'd like to avoid the assumption that refs fit into PATH_MAX-sized buffers. These callsites have an extra twist, though: they write the refnames using mksnpath. This does two things beyond a regular snprintf: 1. It quietly writes "/bad-path/" when truncation occurs. This saves the caller having to check the error code, but if you aren't actually feeding the result to a system call (and we aren't here), it's questionable. 2. It calls cleanup_path(), which removes leading instances of "./". That's questionable when dealing with refnames, as we could silently canonicalize a syntactically bogus refname into a valid one. Let's convert each case to use a strbuf. This is preferable to xstrfmt() because we can reuse the same buffer as we loop. Signed-off-by: Jeff King <peff@peff.net>
2017-03-30avoid using fixed PATH_MAX buffers for refsLibravatar Jeff King4-39/+41
Many functions which handle refs use a PATH_MAX-sized buffer to do so. This is mostly reasonable as we have to write loose refs into the filesystem, and at least on Linux the 4K PATH_MAX is big enough that nobody would care. But: 1. The static PATH_MAX is not always the filesystem limit. 2. On other platforms, PATH_MAX may be much smaller. 3. As we move to alternate ref storage, we won't be bound by filesystem limits. Let's convert these to heap buffers so we don't have to worry about truncation or size limits. We may want to eventually constrain ref lengths for sanity and to prevent malicious names, but we should do so consistently across all platforms, and in a central place (like the ref code). Signed-off-by: Jeff King <peff@peff.net>
2017-03-30fetch: use heap buffer to format reflogLibravatar Jeff King1-2/+4
Part of the reflog content comes from the environment, which can be much larger than our fixed buffer. Let's use a heap buffer so we avoid truncating it. Signed-off-by: Jeff King <peff@peff.net>
2017-03-30tag: use strbuf to format tag headerLibravatar Jeff King1-15/+12
We format the tag header into a fixed 1024-byte buffer. But since the tag-name and tagger ident can be arbitrarily large, we may unceremoniously die with "tag header too big". Let's just use a strbuf instead. Note that it looks at first glance like we can just format this directly into the "buf" strbuf where it will ultimately go. But that buffer may already contain the tag message, and we have no easy way to prepend formatted data to a strbuf (we can only splice in an already-generated buffer). This isn't a performance-critical path, so going through an extra buffer isn't a big deal. Signed-off-by: Jeff King <peff@peff.net>
2017-03-30diff: avoid fixed-size buffer for patch-idsLibravatar Jeff King1-31/+37
To generate a patch id, we format the diff header into a fixed-size buffer, and then feed the result to our sha1 computation. The fixed buffer has size '4*PATH_MAX + 20', which in theory accommodates the four filenames plus some extra data. Except: 1. The filenames may not be constrained to PATH_MAX. The static value may not be a real limit on the current filesystem. Moreover, we may compute patch-ids for names stored only in git, without touching the current filesystem at all. 2. The 20 bytes is not nearly enough to cover the extra content we put in the buffer. As a result, the data we feed to the sha1 computation may be truncated, and it's possible that a commit with a very long filename could erroneously collide in the patch-id space with another commit. For instance, if one commit modified "really-long-filename/foo" and another modified "bar" in the same directory. In practice this is unlikely. Because the filenames are repeated, and because there's a single cutoff at the end of the buffer, the offending filename would have to be on the order of four times larger than PATH_MAX. We could fix this by moving to a strbuf. However, we can observe that the purpose of formatting this in the first place is to feed it to git_SHA1_Update(). So instead, let's just feed each part of the formatted string directly. This actually ends up more readable, and we can even factor out some duplicated bits from the various conditional branches. Technically this may change the output of patch-id for very long filenames, but it's not worth making an exception for this in the --stable output. It was a bug, and one that only affected an unlikely set of paths. And anyway, the exact value would have varied from platform to platform depending on the value of PATH_MAX, so there is no "stable" value. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-28odb_mkstemp: use git_path_bufLibravatar Jeff King1-4/+2
Since git_path_buf() is smart enough to replace "objects/" with the correct object path, we can use it instead of manually assembling the path. That's slightly shorter, and will clean up any non-canonical bits in the path. Signed-off-by: Jeff King <peff@peff.net>
2017-03-28odb_mkstemp: write filename into strbufLibravatar Jeff King6-27/+30
The odb_mkstemp() function expects the caller to provide a fixed buffer to write the resulting tempfile name into. But it creates the template using snprintf without checking the return value. This means we could silently truncate the filename. In practice, it's unlikely that the truncation would end in the template-pattern that mkstemp needs to open the file. So we'd probably end up failing either way, unless the path was specially crafted. The simplest fix would be to notice the truncation and die. However, we can observe that most callers immediately xstrdup() the result anyway. So instead, let's switch to using a strbuf, which is easier for them (and isn't a big deal for the other 2 callers, who can just strbuf_release when they're done with it). Note that many of the callers used static buffers, but this was purely to avoid putting a large buffer on the stack. We never passed the static buffers out of the function, so there's no complicated memory handling we need to change. Signed-off-by: Jeff King <peff@peff.net>
2017-03-28do not check odb_mkstemp return value for errorsLibravatar Jeff King4-8/+10
The odb_mkstemp function does not return an error; it dies on failure instead. But many of its callers compare the resulting descriptor against -1 and die themselves. Mostly this is just pointless, but it does raise a question when looking at the callers: if they show the results of the "template" buffer after a failure, what's in it? The answer is: it doesn't matter, because it cannot happen. So let's make that clear by removing the bogus error checks. In bitmap_writer_finish(), we can drop the error-handling code entirely. In the other two cases, it's shared with the open() in another code path; we can just move the error-check next to that open() call. And while we're at it, let's flesh out the function's docstring a bit to make the error behavior clear. Signed-off-by: Jeff King <peff@peff.net>
2017-03-28Ninth batch for 2.13Libravatar Junio C Hamano1-30/+24
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-28Sync with 'maint'Libravatar Junio C Hamano1-0/+57
2017-03-28Merge branch 'jk/sha1dc'Libravatar Junio C Hamano1-5/+6
sha1dc/sha1.c wanted to check the endianness of the target platform at compilation time and used a CPP macro with a rather overly generic name, "BIGENDIAN", to pass the result of the check around in the file. It wasn't prepared for the same macro set to 0 (false) by the platform to signal that the target is _not_ a big endian box, and assumed that the endianness detection logic it has alone would be the one that is setting the macro, resulting in a breakage on Windows. This has been fixed by using a bit less generic name for the same purpose. * jk/sha1dc: sha1dc: avoid CPP macro collisions
2017-03-28Merge branch 'jh/memihash-opt'Libravatar Junio C Hamano9-9/+848
The name-hash used for detecting paths that are different only in cases (which matter on case insensitive filesystems) has been optimized to take advantage of multi-threading when it makes sense. * jh/memihash-opt: name-hash: add test-lazy-init-name-hash to .gitignore name-hash: add perf test for lazy_init_name_hash name-hash: add test-lazy-init-name-hash name-hash: perf improvement for lazy_init_name_hash hashmap: document memihash_cont, hashmap_disallow_rehash api hashmap: add disallow_rehash setting hashmap: allow memihash computation to be continued name-hash: specify initial size for istate.dir_hash table
2017-03-28Merge branch 'jk/fast-import-cleanup'Libravatar Junio C Hamano5-16/+28
Code clean-up. * jk/fast-import-cleanup: pack.h: define largest possible encoded object size encode_in_pack_object_header: respect output buffer length fast-import: use xsnprintf for formatting headers fast-import: use xsnprintf for writing sha1s
2017-03-28Merge branch 'sg/skip-prefix-in-prettify-refname'Libravatar Junio C Hamano1-5/+5
Code cleanup. * sg/skip-prefix-in-prettify-refname: refs.c: use skip_prefix() in prettify_refname()
2017-03-28Merge branch 'ab/branch-list-doc'Libravatar Junio C Hamano1-2/+7
Doc update. * ab/branch-list-doc: branch doc: update description for `--list` branch doc: change `git branch <pattern>` to use `<branchname>`
2017-03-28Merge branch 'jk/pager-in-use'Libravatar Junio C Hamano1-3/+1
Code clean-up. * jk/pager-in-use: pager_in_use: use git_env_bool()
2017-03-28Merge branch 'tg/stash-push-fixup'Libravatar Junio C Hamano3-6/+30
Recent enhancement to "git stash push" command to support pathspec to allow only a subset of working tree changes to be stashed away was found to be too chatty and exposed the internal implementation detail (e.g. when it uses reset to match the index to HEAD before doing other things, output from reset seeped out). These, and other chattyness has been fixed. * tg/stash-push-fixup: stash: keep untracked files intact in stash -k stash: pass the pathspec argument to git reset stash: don't show internal implementation details
2017-03-28Merge branch 'sb/checkout-recurse-submodules'Libravatar Junio C Hamano17-113/+1084
"git checkout" is taught the "--recurse-submodules" option. * sb/checkout-recurse-submodules: builtin/read-tree: add --recurse-submodules switch builtin/checkout: add --recurse-submodules switch entry.c: create submodules when interesting unpack-trees: check if we can perform the operation for submodules unpack-trees: pass old oid to verify_clean_submodule update submodules: add submodule_move_head submodule.c: get_super_prefix_or_empty update submodules: move up prepare_submodule_repo_env submodules: introduce check to see whether to touch a submodule update submodules: add a config option to determine if submodules are updated update submodules: add submodule config parsing make is_submodule_populated gently lib-submodule-update.sh: define tests for recursing into submodules lib-submodule-update.sh: replace sha1 by hash lib-submodule-update: teach test_submodule_content the -C <dir> flag lib-submodule-update.sh: do not use ./. as submodule remote lib-submodule-update.sh: reorder create_lib_submodule_repo submodule--helper.c: remove duplicate code connect_work_tree_and_git_dir: safely create leading directories
2017-03-28Merge branch 'bw/grep-recurse-submodules'Libravatar Junio C Hamano2-17/+16
Build fix for NO_PTHREADS build. * bw/grep-recurse-submodules: grep: fix builds with with no thread support grep: set default output method
2017-03-28Prepare for 2.12.3Libravatar Junio C Hamano2-1/+58
2017-03-28Merge branch 'km/config-grammofix' into maintLibravatar Junio C Hamano1-3/+3
Doc update. * km/config-grammofix: doc/config: grammar fixes for core.{editor,commentChar}
2017-03-28Merge branch 'sb/t3600-rephrase' into maintLibravatar Junio C Hamano1-1/+1
A test retitling. * sb/t3600-rephrase: t3600: rename test to describe its functionality
2017-03-28Merge branch 'sb/submodule-update-initial-runs-custom-script' into maintLibravatar Junio C Hamano1-3/+3
A test fix. * sb/submodule-update-initial-runs-custom-script: t7406: correct test case for submodule-update initial population
2017-03-28Merge branch 'jk/quote-env-path-list-component' into maintLibravatar Junio C Hamano1-0/+1
A test fix. * jk/quote-env-path-list-component: t5615: fix a here-doc syntax error
2017-03-28Merge branch 'rs/update-hook-optim' into maintLibravatar Junio C Hamano1-8/+5
Code clean-up. * rs/update-hook-optim: receive-pack: simplify run_update_post_hook()
2017-03-28Merge branch 'rs/shortlog-cleanup' into maintLibravatar Junio C Hamano1-1/+0
Code clean-up. * rs/shortlog-cleanup: shortlog: don't set after_subject to an empty string
2017-03-28Merge branch 'rs/path-name-safety-cleanup' into maintLibravatar Junio C Hamano1-2/+0
Code clean-up. * rs/path-name-safety-cleanup: revision: remove declaration of path_name()
2017-03-28Merge branch 'rs/http-push-cleanup' into maintLibravatar Junio C Hamano1-5/+3
Code clean-up. * rs/http-push-cleanup: http-push: don't check return value of lookup_unknown_object()
2017-03-28Merge branch 'sb/wt-status-cleanup' into maintLibravatar Junio C Hamano1-15/+5
Code clean-up. * sb/wt-status-cleanup: wt-status: simplify by using for_each_string_list_item
2017-03-28Merge branch 'jk/pack-name-cleanups' into maintLibravatar Junio C Hamano6-46/+57
Code clean-up. * jk/pack-name-cleanups: index-pack: make pointer-alias fallbacks safer replace snprintf with odb_pack_name() odb_pack_keep(): stop generating keepfile name sha1_file.c: make pack-name helper globally accessible move odb_* declarations out of git-compat-util.h
2017-03-28Merge branch 'jk/rev-parse-cleanup' into maintLibravatar Junio C Hamano1-52/+57
Code clean-up. * jk/rev-parse-cleanup: rev-parse: simplify parsing of ref options rev-parse: add helper for parsing "--foo/--foo=" rev-parse: use skip_prefix when parsing options
2017-03-28Merge branch 'rs/blame-code-cleanup' into maintLibravatar Junio C Hamano1-17/+8
Code clean-up. * rs/blame-code-cleanup: blame: move blame_entry duplication to add_blame_entry()
2017-03-28Merge branch 'st/verify-tag' into maintLibravatar Junio C Hamano2-14/+10
A few unterminated here documents in tests were fixed, which in turn revealed incorrect expectations the tests make. These tests have been updated. * st/verify-tag: t7004, t7030: fix here-doc syntax errors
2017-03-28Merge branch 'js/regexec-buf' into maintLibravatar Junio C Hamano2-2/+10
Fix for potential segv introduced in v2.11.0 and later (also v2.10.2). * js/regexec-buf: pickaxe: fix segfault with '-S<...> --pickaxe-regex'
2017-03-28Merge branch 'jk/execv-dashed-external' into maintLibravatar Junio C Hamano1-1/+1
Fix for NO_PTHREADS build. * jk/execv-dashed-external: run-command: fix segfault when cleaning forked async process
2017-03-28Merge branch 'ew/http-alternates-as-redirects-warning' into maintLibravatar Junio C Hamano1-3/+7
Recent versions of Git treats http alternates (used in dumb http transport) just like HTTP redirects and requires the client to enable following it, due to security concerns. But we forgot to give a warning when we decide not to honor the alternates. * ew/http-alternates-as-redirects-warning: http: release strbuf on disabled alternates http: inform about alternates-as-redirects behavior
2017-03-28Merge branch 'dp/filter-branch-prune-empty' into maintLibravatar Junio C Hamano4-8/+50
"git filter-branch --prune-empty" drops a single-parent commit that becomes a no-op, but did not drop a root commit whose tree is empty. * dp/filter-branch-prune-empty: p7000: add test for filter-branch with --prune-empty filter-branch: fix --prune-empty on parentless commits t7003: ensure --prune-empty removes entire branch when applicable t7003: ensure --prune-empty can prune root commit
2017-03-28Merge branch 'mm/fetch-show-error-message-on-unadvertised-object' into maintLibravatar Junio C Hamano7-30/+66
"git fetch" that requests a commit by object name, when the other side does not allow such an request, failed without much explanation. * mm/fetch-show-error-message-on-unadvertised-object: fetch-pack: add specific error for fetching an unadvertised object fetch_refs_via_pack: call report_unmatched_refs fetch-pack: move code to report unmatched refs to a function
2017-03-28Merge branch 'jk/interpret-branch-name' into maintLibravatar Junio C Hamano10-51/+249
"git branch @" created refs/heads/@ as a branch, and in general the code that handled @{-1} and @{upstream} was a bit too loose in disambiguating. * jk/interpret-branch-name: checkout: restrict @-expansions when finding branch strbuf_check_ref_format(): expand only local branches branch: restrict @-expansions when deleting t3204: test git-branch @-expansion corner cases interpret_branch_name: allow callers to restrict expansions strbuf_branchname: add docstring strbuf_branchname: drop return value interpret_branch_name: move docstring to header file interpret_branch_name(): handle auto-namelen for @{-1}
2017-03-28Merge branch 'ab/cond-skip-tests' into maintLibravatar Junio C Hamano3-1/+16
A few tests were run conditionally under (rare) conditions where they cannot be run (like running cvs tests under 'root' account). * ab/cond-skip-tests: gitweb tests: skip tests when we don't have Time::HiRes gitweb tests: change confusing "skip_all" phrasing cvs tests: skip tests that call "cvs commit" when running as root
2017-03-28Merge branch 'jk/ident-empty' into maintLibravatar Junio C Hamano2-19/+66
user.email that consists of only cruft chars should consistently error out, but didn't. * jk/ident-empty: ident: do not ignore empty config name/email ident: reject all-crud ident name ident: handle NULL email when complaining of empty name ident: mark error messages for translation
2017-03-28Merge branch 'jk/delta-chain-limit' into maintLibravatar Junio C Hamano3-23/+207
"git repack --depth=<n>" for a long time busted the specified depth when reusing delta from existing packs. This has been corrected. * jk/delta-chain-limit: pack-objects: convert recursion to iteration in break_delta_chain() pack-objects: enforce --depth limit in reused deltas
2017-03-28Merge branch 'sg/test-with-stdin' into maintLibravatar Junio C Hamano2-8/+4
Teach the "debug" helper used in the test framework that allows a command to run under "gdb" to make the session interactive. * sg/test-with-stdin: tests: make the 'test_pause' helper work in non-verbose mode tests: create an interactive gdb session with the 'debug' helper