| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
A few strbuf functions store the length of a strbuf in a
temporary variable. We should always use size_t for this, as
it's possible for a strbuf to exceed an "int" (e.g., a 2GB
string on a 64-bit system). This is unlikely in practice,
but we should try to behave sensibly on silly or malicious
input.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
|
|
The iconv interface takes a size_t, which is the appropriate
type for an in-memory buffer. But our reencode_string_*
functions use integers, meaning we may get confusing results
when the sizes exceed INT_MAX. Let's use size_t
consistently.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
|
|
When converting a string with iconv, if the output buffer
isn't big enough, we grow it. But our growth is done without
any concern for integer overflow. So when we add:
outalloc = sofar + insz * 2 + 32;
we may end up wrapping outalloc (which is a size_t), and
allocating a too-small buffer. We then manipulate it
further:
outsz = outalloc - sofar - 1;
and feed outsz back to iconv. If outalloc is wrapped and
smaller than sofar, we'll end up with a small allocation but
feed a very large outsz to iconv, which could result in it
overflowing the buffer.
Can we use this to construct an attack wherein the victim
clones a repository with a very large commit object with an
encoding header, and running "git log" reencodes it into
utf8, causing an overflow?
An attack of this sort is likely impossible in practice.
"sofar" is how many output bytes we've written total, and
"insz" is the number of input bytes remaining. Imagine our
input doubles in size as we output it (which is easy to do
by converting latin1 to utf8, for example), and that we
start with N input bytes. Our initial output buffer also
starts at N bytes, so after the first call we'd have N/2
input bytes remaining (insz), and have written N bytes
(sofar). That means our next allocation will be
(N + N/2 * 2 + 32) bytes, or (2N + 32).
We can therefore overflow a 32-bit size_t with a commit
message that's just under 2^31 bytes, assuming it consists
mostly of "doubling" sequences (e.g., latin1 0xe1 which
becomes utf8 0xc3 0xa1).
But we'll never make it that far with such a message. We'll
be spending 2^31 bytes on the original string. And our
initial output buffer will also be 2^31 bytes. Which is not
going to succeed on a system with a 32-bit size_t, since
there will be other things using the address space, too. The
initial malloc will fail.
If we imagine instead that we can triple the size when
converting, then our second allocation becomes
(N + 2/3N * 2 + 32), or (7/3N + 32). That still requires two
allocations of 3/7 of our address space (6/7 of the total)
to succeed.
If we imagine we can quadruple, it becomes (5/2N + 32); we
need to be able to allocate 4/5 of the address space to
succeed.
This might start to get plausible. But is it possible to get
a 4-to-1 increase in size? Probably if you're converting to
some obscure encoding. But since git defaults to utf8 for
its output, that's the likely destination encoding for an
attack. And while there are 4-character utf8 sequences, it's
unlikely that you'd be able find a single-byte source
sequence in any encoding.
So this is certainly buggy code which should be fixed, but
it is probably not a useful attack vector.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
|
|
Signed-off-by: Junio C Hamano <gitster@pobox.com>
|
|
* en/rename-directory-detection-reboot:
merge-recursive: use xstrdup() instead of fixed buffer
|
|
Merge Korean translation for l10n of Git 2.18.0 round 3
* tag 'l10n-2.18.0-rnd3.1' of git://github.com/git-l10n/git-po:
l10n: ko.po: Update Korean translation
|
|
* cf/submodule-progress-dissociate:
t7400: encapsulate setup code in test_expect_success
|
|
* js/rebase-i-root-fix:
t3404: check root commit in 'rebase -i --root reword root commit'
|
|
When running t7400 in a shell you observe more output than expected:
...
ok 8 - setup - hide init subdirectory
ok 9 - setup - repository to add submodules to
ok 10 - submodule add
[master (root-commit) d79ce16] one
Author: A U Thor <author@example.com>
1 file changed, 1 insertion(+)
create mode 100644 one.t
ok 11 - redirected submodule add does not show progress
ok 12 - redirected submodule add --progress does show progress
ok 13 - submodule add to .gitignored path fails
...
Fix the output by encapsulating the setup code in test_expect_success
Signed-off-by: Stefan Beller <sbeller@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
|
|
When testing a reworded root commit, ensure that the squash-onto commit
which is created and amended is still the root commit.
Suggested-by: Phillip Wood <phillip.wood@talktalk.net>
Helped-by: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Signed-off-by: Todd Zullinger <tmz@pobox.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
|
|
Signed-off-by: Karthikeyan Singaravelan <tir.karthi@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
|
|
Signed-off-by: Junio C Hamano <gitster@pobox.com>
|
|
"make NO_ICONV=NoThanks" did not override NEEDS_LIBICONV
(i.e. linkage of -lintl, -liconv, etc. that are platform-specific
tweaks), which has been corrected.
* es/make-no-iconv:
Makefile: make NO_ICONV really mean "no iconv"
|
|
Test fix.
* sg/t7406-chain-fix:
t7406-submodule-update: fix broken &&-chains
|
|
A test title has been reworded to clarify it.
* ks/branch-set-upstream:
t3200: clarify description of --set-upstream test
|
|
A regression to "rebase -i --root" introduced during this cycle has
been fixed.
* js/rebase-i-root-fix:
rebase --root: fix amending root commit messages
rebase --root: demonstrate a bug while amending root commit messages
|
|
The code to read compressed bitmap was not careful to avoid reading
past the end of the file, which has been corrected.
* jk/ewah-bounds-check:
ewah: adjust callers of ewah_read_mmap()
ewah_read_mmap: bounds-check mmap reads
|
|
l10n for Git 2.18.0 round 3
* tag 'l10n-2.18.0-rnd3' of git://github.com/git-l10n/git-po:
l10n: zh_CN: for git v2.18.0 l10n round 1 to 3
l10n: bg.po: Updated Bulgarian translation (3608t)
l10n: vi.po(3608t): Update Vietnamese translation for v2.18.0 round 3
l10n: fr.po v2.18.0 round 3
l10n: es.po: Spanish update for v2.18.0 round 3
l10n: git.pot: v2.18.0 round 3 (1 new, 1 removed)
l10n: vi.po(3608t): Update Vietnamese translation for v2.18.0 round2
l10n: bg.po: Updated Bulgarian translation (3608t)
l10n: es.po: Spanish update for v2.18.0 round 2
l10n: sv.po: Update Swedish translation (3608t0f0u)
l10n: sv.po: Update Swedish translation (3470t0f0u)
l10n: git.pot: v2.18.0 round 2 (144 new, 6 removed)
l10n: fr.po v2.18 round 1
l10n: vi(3470t): Updated Vietnamese translation for v2.18.0
l10n: es.po: Spanish update for v2.18.0 round 1
l10n: git.pot: v2.18.0 round 1 (108 new, 14 removed)
l10n: TEAMS: remove inactive de team members
l10n: de.po: fix typos
l10n: Update Catalan translation
|
|
Signed-off-by: Junio C Hamano <gitster@pobox.com>
|
|
Update the Korean translation and change the team leader to Gwan-gyeong
Mun.
Signed-off-by: Gwan-gyeong Mun <elongbug@gmail.com>
Signed-off-by: Changwoo Ryu <cwryu@debian.org>
Reviewed-by: Gwan-gyeong Mun <elongbug@gmail.com>
|
|
Leakfix.
* sb/blame-color:
blame: release string_list after use in parse_color_fields()
|
|
Fix old merge glitch in Documentation during v2.13-rc0 era.
* mw/doc-merge-enumfix:
doc: update the order of the syntax `git merge --continue`
|
|
Newly added codepath in merge-recursive had potential buffer
overrun, which has been fixed.
* en/rename-directory-detection:
merge-recursive: use xstrdup() instead of fixed buffer
|
|
Doc update.
* rd/doc-remote-tracking-with-hyphen:
Use hyphenated "remote-tracking branch" (docs and comments)
|
|
Make zlib inflate codepath more robust against versions of zlib
that clobber unused portion of outbuf.
* jl/zlib-restore-nul-termination:
packfile: correct zlib buffer handling
|
|
Hotfix for contrib/ stuff broken by this cycle.
* ab/cred-netrc-no-autodie:
git-credential-netrc: remove use of "autodie"
|
|
Typofix.
* km/doc-workflows-typofix:
gitworkflows: fix grammar in 'Merge upwards' rule
|
|
"git p4" updates.
* ld/git-p4-updates:
git-p4: auto-size the block
git-p4: narrow the scope of exceptions caught when parsing an int
git-p4: raise exceptions from p4CmdList based on error from p4 server
git-p4: better error reporting when p4 fails
git-p4: add option to disable syncing of p4/master with p4
git-p4: disable-rebase: allow setting this via configuration
git-p4: add options --commit and --disable-rebase
|
|
Typofix.
* rd/diff-options-typofix:
diff-options.txt: fix minor typos, font inconsistencies, in docs
|
|
In code comment typofix
* rd/comment-typofix-in-sha1-file:
sha1-file.c: correct $GITDIR to $GIT_DIR in a comment
|
|
Paths can be longer than PATH_MAX. Avoid a buffer overrun in
check_dir_renamed() by using xstrdup() to make a private copy safely.
Signed-off-by: Rene Scharfe <l.s.r@web.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
|
|
It was not "newer versions of bash" but newer versions of
bash-completion that made commit 085e2ee0e6 (completion: load
completion file for external subcommand, 2018-04-29) both necessary
and possible.
Update the corresponding RelNotes entry accordingly.
Signed-off-by: SZEDER Gábor <szeder.dev@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
|
|
Three tests in 't7406-submodule-update' contain broken &&-chains, but
since they are all in subshells, chain-lint couldn't notice them.
Signed-off-by: SZEDER Gábor <szeder.dev@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
|
|
The code path that triggered that "BUG" really does not want to run
without an explicit commit message. In the case where we want to amend a
commit message, we have an *implicit* commit message, though: the one of
the commit to amend. Therefore, this code path should not even be
entered.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
|
|
When splitting a repository, running `git rebase -i --root` to reword
the initial commit, Git dies with
BUG: sequencer.c:795: root commit without message.
Signed-off-by: Todd Zullinger <tmz@pobox.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
|
|
The return value of ewah_read_mmap() is now an ssize_t,
since we could (in theory) process up to 32GB of data. This
would never happen in practice, but a corrupt or malicious
.bitmap or index file could convince us to do so.
Let's make sure that we don't stuff the value into an int,
which would cause us to incorrectly move our pointer
forward. We'd always move too little, since negative values
are used for reporting errors. So the worst case is just
that we end up reporting a corrupt file, not an
out-of-bounds read.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
|
|
The on-disk ewah format tells us how big the ewah data is,
and we blindly read that much from the buffer without
considering whether the mmap'd data is long enough, which
can lead to out-of-bound reads.
Let's make sure we have data available before reading it,
both for the ewah header/footer as well as for the bit data
itself. In particular:
- keep our ptr/len pair in sync as we move through the
buffer, and check it before each read
- check the size for integer overflow (this should be
impossible on 64-bit, as the size is given as a 32-bit
count of 8-byte words, but is possible on a 32-bit
system)
- return the number of bytes read as an ssize_t instead of
an int, again to prevent integer overflow
- compute the return value using a pointer difference;
this should yield the same result as the existing code,
but makes it more obvious that we got our computations
right
The included test is far from comprehensive, as it just
picks a static point at which to truncate the generated
bitmap. But in practice this will hit in the middle of an
ewah and make sure we're at least exercising this code.
Reported-by: Luat Nguyen <root@l4w.io>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
|
|
Support for the --set-upstream option was removed in 52668846ea
(builtin/branch: stop supporting the "--set-upstream" option,
2017-08-17). The change did not completely remove the command
due to an issue noted in the commit's log message.
So, a test was added to ensure that a command which uses the
'--set-upstream' option fails instead of silently acting as an alias
for the '--set-upstream-to' option due to option parsing features.
To avoid confusion, clarify that the option is disabled intentionally
in the corresponding test description.
The test is expected to be around as long as we intentionally fail
on seeing the '--set-upstream' option which in turn we expect to
do for a period of time after which we can be sure that existing
users of '--set-upstream' are aware that the option is no
longer supported.
Signed-off-by: Kaartic Sivaraam <kaartic.sivaraam@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
|
|
Translate 251 new messages (3608t0f0u) for git 2.18.0.
Signed-off-by: Jiang Xin <worldhello.net@gmail.com>
|
|
* 'master' of git://github.com/nafmo/git-l10n-sv:
l10n: sv.po: Update Swedish translation (3608t0f0u)
l10n: sv.po: Update Swedish translation (3470t0f0u)
|
|
* 'master' of https://github.com/vnwildman/git:
l10n: vi.po(3608t): Update Vietnamese translation for v2.18.0 round 3
|
|
* 'master' of git://github.com/alshopov/git-po:
l10n: bg.po: Updated Bulgarian translation (3608t)
|
|
* 'fr_2.18_rnd3' of git://github.com/jnavila/git:
l10n: fr.po v2.18.0 round 3
|
|
Signed-off-by: Alexander Shopov <ash@kambanaria.org>
|
|
Signed-off-by: Tran Ngoc Quan <vnwildman@gmail.com>
|
|
Signed-off-by: Jean-Noël Avila <jn.avila@free.fr>
|
|
Signed-off-by: Christopher Diaz Riveros <chrisadr@gentoo.org>
|
|
Generate po/git.pot from v2.18.0-rc2 for git v2.18.0 l10n round 3.
Signed-off-by: Jiang Xin <worldhello.net@gmail.com>
|
|
* 'master' of git://github.com/git-l10n/git-po:
l10n: vi.po(3608t): Update Vietnamese translation for v2.18.0 round2
l10n: bg.po: Updated Bulgarian translation (3608t)
l10n: es.po: Spanish update for v2.18.0 round 2
l10n: git.pot: v2.18.0 round 2 (144 new, 6 removed)
l10n: fr.po v2.18 round 1
l10n: vi(3470t): Updated Vietnamese translation for v2.18.0
l10n: es.po: Spanish update for v2.18.0 round 1
l10n: git.pot: v2.18.0 round 1 (108 new, 14 removed)
l10n: TEAMS: remove inactive de team members
l10n: de.po: fix typos
l10n: Update Catalan translation
|
|
The Makefile tweak NO_ICONV is meant to allow Git to be built without
iconv in case iconv is not installed or is otherwise dysfunctional.
However, NO_ICONV's disabling of iconv is incomplete and can incorrectly
allow "-liconv" to slip into the linker flags when NEEDS_LIBICONV is
defined, which breaks the build when iconv is not installed.
On some platforms, iconv lives directly in libc, whereas, on others it
resides in libiconv. For the latter case, NEEDS_LIBICONV instructs the
Makefile to add "-liconv" to the linker flags. config.mak.uname
automatically defines NEEDS_LIBICONV for platforms which require it.
The adding of "-liconv" is done unconditionally, despite NO_ICONV.
Work around this problem by making NO_ICONV take precedence over
NEEDS_LIBICONV.
Reported by: Mahmoud Al-Qudsi <mqudsi@neosmart.net>
Signed-off-by: Eric Sunshine <sunshine@sunshineco.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
|
Jeff King
Junio C Hamano
Stefan Beller
Todd Zullinger
Karthikeyan Singaravelan
Changwoo Ryu
René Scharfe
SZEDER Gábor
Johannes Schindelin
Kaartic Sivaraam
Jiang Xin
Alexander Shopov
Tran Ngoc Quan
Jean-Noël Avila
Christopher Diaz Riveros
Eric Sunshine