summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2015-09-25archive-tar: use xsnprintf for trivial formattingLibravatar Jeff King1-13/+13
When we generate tar headers, we sprintf() values directly into a struct with the fixed-size header values. For the most part this is fine, as we are formatting small values (e.g., the octal format of "mode & 0x7777" is of fixed length). But it's still a good idea to use xsnprintf here. It communicates to readers what our expectation is, and it provides a run-time check that we are not overflowing the buffers. The one exception here is the mtime, which comes from the epoch time of the commit we are archiving. For sane values, this fits into the 12-byte value allocated in the header. But since git can handle 64-bit times, if I claim to be a visitor from the year 10,000 AD, I can overflow the buffer. This turns out to be harmless, as we simply overflow into the chksum field, which is then overwritten. This case is also best as an xsnprintf. It should never come up, short of extremely malformed dates, and in that case we are probably better off dying than silently truncating the date value (and we cannot expand the size of the buffer, since it is dictated by the ustar format). Our friends in the year 5138 (when we legitimately flip to a 12-digit epoch) can deal with that problem then. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25convert trivial sprintf / strcpy calls to xsnprintfLibravatar Jeff King20-47/+52
We sometimes sprintf into fixed-size buffers when we know that the buffer is large enough to fit the input (either because it's a constant, or because it's numeric input that is bounded in size). Likewise with strcpy of constant strings. However, these sites make it hard to audit sprintf and strcpy calls for buffer overflows, as a reader has to cross-reference the size of the array with the input. Let's use xsnprintf instead, which communicates to a reader that we don't expect this to overflow (and catches the mistake in case we do). Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25compat/inet_ntop: fix off-by-one in inet_ntop4Libravatar Jeff King1-3/+3
Our compat inet_ntop4 function writes to a temporary buffer with snprintf, and then uses strcpy to put the result into the final "dst" buffer. We check the return value of snprintf against the size of "dst", but fail to account for the NUL terminator. As a result, we may overflow "dst" with a single NUL. In practice, this doesn't happen because the output of inet_ntop is limited, and we provide buffers that are way oversized. We can fix the off-by-one check easily, but while we are here let's also use strlcpy for increased safety, just in case there are other bugs lurking. As a side note, this compat code seems to be BSD-derived. Searching for "vixie inet_ntop" turns up NetBSD's latest version of the same code, which has an identical fix (and switches to strlcpy, too!). Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25test-dump-cache-tree: avoid overflow of cache-tree nameLibravatar Jeff King1-1/+1
When dumping a cache-tree, we sprintf sub-tree names directly into a fixed-size buffer, which can overflow. We can trivially fix this by converting to xsnprintf to at least notice and die. This probably should handle arbitrary-sized names, but there's not much point. It's used only by the test scripts, so the trivial fix is enough. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25progress: store throughput display in a strbufLibravatar Jeff King1-10/+8
Coverity noticed that we strncpy() into a fixed-size buffer without making sure that it actually ended up NUL-terminated. This is unlikely to be a bug in practice, since throughput strings rarely hit 32 characters, but it would be nice to clean it up. The most obvious way to do so is to add a NUL-terminator. But instead, this patch switches the fixed-size buffer out for a strbuf. At first glance this seems much less efficient, until we realize that filling in the fixed-size buffer is done by writing into a strbuf and copying the result! By writing straight to the buffer, we actually end up more efficient: 1. We avoid an extra copy of the bytes. 2. Rather than malloc/free each time progress is shown, we can strbuf_reset and use the same buffer each time. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25trace: use strbuf for quote_crnl outputLibravatar Jeff King1-12/+11
When we output GIT_TRACE_SETUP paths, we quote any meta-characters. But our buffer to hold the result is only PATH_MAX bytes, and we could double the size of the input path (if every character needs quoting). We could use a 2*PATH_MAX buffer, if we assume the input will never be more than PATH_MAX. But it's easier still to just switch to a strbuf and not worry about whether the input can exceed PATH_MAX or not. The original copied the "p2" pointer to "p1", advancing both. Since this gets rid of "p1", let's also drop "p2", whose name is now confusing. We can just advance the original "path" pointer. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25mailsplit: make PATH_MAX buffers dynamicLibravatar Jeff King1-11/+23
There are several PATH_MAX-sized buffers in mailsplit, along with some questionable uses of sprintf. These are not really of security interest, as local mailsplit pathnames are not typically under control of an attacker, and you could generally only overflow a few numbers at the end of a path that approaches PATH_MAX (a longer path would choke mailsplit long before). But it does not hurt to be careful, and as a bonus we lift some limits for systems with too-small PATH_MAX varibles. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25fsck: use strbuf to generate alternate directoriesLibravatar Jeff King1-5/+6
When fsck-ing alternates, we make a copy of the alternate directory in a fixed PATH_MAX buffer. We memcpy directly, without any check whether we are overflowing the buffer. This is OK if PATH_MAX is a true representation of the maximum path on the system, because any path here will have already been vetted by the alternates subsystem. But that is not true on every system, so we should be more careful. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25add reentrant variants of sha1_to_hex and find_unique_abbrevLibravatar Jeff King5-10/+67
The sha1_to_hex and find_unique_abbrev functions always write into reusable static buffers. There are a few problems with this: - future calls overwrite our result. This is especially annoying with find_unique_abbrev, which does not have a ring of buffers, so you cannot even printf() a result that has two abbreviated sha1s. - if you want to put the result into another buffer, we often strcpy, which looks suspicious when auditing for overflows. This patch introduces sha1_to_hex_r and find_unique_abbrev_r, which write into a user-provided buffer. Of course this is just punting on the overflow-auditing, as the buffer obviously needs to be GIT_SHA1_HEXSZ + 1 bytes. But it is much easier to audit, since that is a well-known size. We retain the non-reentrant forms, which just become thin wrappers around the reentrant ones. This patch also adds a strbuf variant of find_unique_abbrev, which will be handy in later patches. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25strbuf: make strbuf_complete_line more genericLibravatar Jeff King1-2/+13
The strbuf_complete_line function makes sure that a buffer ends in a newline. But we may want to do this for any character (e.g., "/" on the end of a path). Let's factor out a generic version, and keep strbuf_complete_line as a thin wrapper. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25add git_path_buf helper functionLibravatar Jeff King2-0/+12
If you have a function that uses git_path a lot, but would prefer to avoid the static buffers, it's useful to keep a single scratch buffer locally and reuse it for each call. You used to be able to do this with git_snpath: char buf[PATH_MAX]; foo(git_snpath(buf, sizeof(buf), "foo")); bar(git_snpath(buf, sizeof(buf), "bar")); but since 1a83c24, git_snpath has been replaced with strbuf_git_path. This is good, because it removes the arbitrary PATH_MAX limit. But using strbuf_git_path is more awkward for two reasons: 1. It adds to the buffer, rather than replacing it. This is consistent with other strbuf functions, but makes reuse of a single buffer more tedious. 2. It doesn't return the buffer, so you can't format as part of a function's arguments. The new git_path_buf solves both of these, so you can use it like: struct strbuf buf = STRBUF_INIT; foo(git_path_buf(&buf, "foo")); bar(git_path_buf(&buf, "bar")); strbuf_release(&buf); Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25add xsnprintf helper functionLibravatar Jeff King2-0/+19
There are a number of places in the code where we call sprintf(), with the assumption that the output will fit into the buffer. In many cases this is true (e.g., formatting a number into a large buffer), but it is hard to tell immediately from looking at the code. It would be nice if we had some run-time check to make sure that our assumption is correct (and to communicate to readers of the code that we are not blindly calling sprintf, but have actually thought about this case). This patch introduces xsnprintf, which behaves just like snprintf, except that it dies whenever the output is truncated. This acts as a sort of assert() for these cases, which can help find places where the assumption is violated (as opposed to truncating and proceeding, which may just silently give a wrong answer). Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25fsck: don't fsck alternates for connectivity-only checkLibravatar Jeff King1-8/+9
Commit 02976bf (fsck: introduce `git fsck --connectivity-only`, 2015-06-22) recently gave fsck an option to perform only a subset of the checks, by skipping the fsck_object_dir() call. However, it does so only for the local object directory, and we still do expensive checks on any alternate repos. We should skip them in this case, too. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25archive-tar: fix minor indentation violationLibravatar Jeff King1-1/+1
This looks like a simple omission from 8539070 (archive-tar: unindent write_tar_entry by one level, 2012-05-03). Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25mailsplit: fix FILE* leak in split_maildirLibravatar Jeff King1-1/+4
If we encounter an error while splitting a maildir, we exit the function early, leaking the open filehandle. This isn't a big deal, since we exit the program soon after, but it's easy enough to be careful. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-25show-branch: avoid segfault with --reflog of unborn branchLibravatar Jeff King1-0/+2
When no branch is given to the "--reflog" option, we resolve HEAD to get the default branch. However, if HEAD points to an unborn branch, resolve_ref returns NULL, and we later segfault trying to access it. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-21Git 2.6-rc3Libravatar Junio C Hamano1-1/+1
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-21Merge branch 'rj/mailmap-ramsay'Libravatar Junio C Hamano1-1/+1
* rj/mailmap-ramsay: mailmap: update my entry with new email address
2015-09-21Merge branch 'bn/send-email-smtp-auth-error-message-fix'Libravatar Junio C Hamano1-1/+1
Fix a minor regression brought in to "git send-email" by a recent addition of the "--smtp-auth" option. * bn/send-email-smtp-auth-error-message-fix: send-email: fix uninitialized var warning for $smtp_auth
2015-09-21Merge tag 'l10n-2.6.0-rnd2+de' of git://github.com/git-l10n/git-poLibravatar Junio C Hamano8-11681/+14967
l10n-2.6.0-rnd2 plus de * tag 'l10n-2.6.0-rnd2+de' of git://github.com/git-l10n/git-po: (25 commits) l10n: de.po: better language for one string l10n: de.po: translate 2 messages l10n: Update and review Vietnamese translation (2440t) l10n: fr.po v2.6.0 round 2 (2440t) l10n: zh_CN: for git v2.6.0 l10n round 2 l10n: ca.po: update translation l10n: git.pot: v2.6.0 round 2 (3 improvements) l10n: de.po: translate 123 new messages l10n: fr.po v2.6.0 round 1 (2441t) l10n: sv.po: Update Swedish translation (2441t0f0u) l10n: zh_CN: for git v2.6.0 l10n round 1 l10n: Updated Vietnamese translation (2441t) l10n: git.pot: v2.6.0 round 1 (123 new, 41 removed) l10n: zh_CN: Update Git Glossary: "commit message" l10n: zh_CN: Update Git Glossary: pickaxe l10n: zh_CN: Update Git Glossary: fork l10n: zh_CN: Update Git Glossary: tag l10n: zh_CN: Update Git Glossary: "dumb", "smart" l10n: zh_CN: Update Git Glossary: SHA-1 l10n: zh_CN: Add Surrounding Spaces ...
2015-09-21send-email: fix uninitialized var warning for $smtp_authLibravatar Brian Norris1-1/+1
On the latest version of git-send-email, I see this error just before running SMTP auth (I didn't provide any --smtp-auth= parameter): Use of uninitialized value $smtp_auth in pattern match (m//) at \ /home/briannorris/git/git/git-send-email.perl line 1139. Signed-off-by: Brian Norris <computersforpeace@gmail.com> Reviewed-by: Eric Sunshine <sunshine@sunshineco.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-20l10n: de.po: better language for one stringLibravatar Phillip Sz1-1/+1
Just one string I think we could translate better. Signed-off-by: Phillip Sz <phillip.szelat@gmail.com> Signed-off-by: Ralf Thielow <ralf.thielow@gmail.com>
2015-09-20l10n: de.po: translate 2 messagesLibravatar Ralf Thielow1-101/+108
Translate 2 messages came from git.pot update in e447091 (l10n: git.pot: v2.6.0 round 2 (3 improvements)). Signed-off-by: Ralf Thielow <ralf.thielow@gmail.com> Acked-by: Phillip Sz <phillip.szelat@gmail.com>
2015-09-21l10n: Update and review Vietnamese translation (2440t)Libravatar Tran Ngoc Quan1-91/+90
Signed-off-by: Tran Ngoc Quan <vnwildman@gmail.com>
2015-09-21l10n: fr.po v2.6.0 round 2 (2440t)Libravatar Jean-Noel Avila1-112/+148
Signed-off-by: Jean-Noel Avila <jn.avila@free.fr>
2015-09-21l10n: zh_CN: for git v2.6.0 l10n round 2Libravatar Jiang Xin1-78/+77
Update 2 translations (2440t0f0u) for git v2.6.0-rc2. Signed-off-by: Jiang Xin <worldhello.net@gmail.com>
2015-09-21l10n: ca.po: update translationLibravatar Alex Henrie1-1760/+2159
Signed-off-by: Alex Henrie <alexhenrie24@gmail.com>
2015-09-21l10n: git.pot: v2.6.0 round 2 (3 improvements)Libravatar Jiang Xin1-76/+72
Introduce three i18n improvements from the following commits: * tag, update-ref: improve description of option "create-reflog" * pull: don't mark values for option "rebase" for translation * show-ref: place angle brackets around variables in usage string Signed-off-by: Jiang Xin <worldhello.net@gmail.com>
2015-09-21Merge branch 'master' of git://github.com/git-l10n/git-poLibravatar Jiang Xin7-9913/+12763
* 'master' of git://github.com/git-l10n/git-po: l10n: de.po: translate 123 new messages l10n: fr.po v2.6.0 round 1 (2441t) l10n: sv.po: Update Swedish translation (2441t0f0u) l10n: zh_CN: for git v2.6.0 l10n round 1 l10n: Updated Vietnamese translation (2441t) l10n: git.pot: v2.6.0 round 1 (123 new, 41 removed) l10n: zh_CN: Update Git Glossary: "commit message" l10n: zh_CN: Update Git Glossary: pickaxe l10n: zh_CN: Update Git Glossary: fork l10n: zh_CN: Update Git Glossary: tag l10n: zh_CN: Update Git Glossary: "dumb", "smart" l10n: zh_CN: Update Git Glossary: SHA-1 l10n: zh_CN: Add Surrounding Spaces l10n: zh_CN: Add translations for Git glossary l10n: TEAMS: stash inactive zh_CN team members l10n: zh_CN: Update Translation of "tag" l10n: zh_CN: Unify Translation of "packfile" l10n: zh_CN: Update Translation: "tag object" Signed-off-by: Jiang Xin <worldhello.net@gmail.com>
2015-09-21l10n: de.po: translate 123 new messagesLibravatar Ralf Thielow1-1640/+2125
Translate 123 new messages came from git.pot update in df0617b (l10n: git.pot: v2.6.0 round 1 (123 new, 41 removed)). Signed-off-by: Ralf Thielow <ralf.thielow@gmail.com> Acked-by: Phillip Sz <phillip.szelat@gmail.com> Acked-by: Matthias RĂ¼ster <matthias.ruester@gmail.com>
2015-09-21l10n: fr.po v2.6.0 round 1 (2441t)Libravatar Jean-Noel Avila1-1638/+2086
Signed-off-by: Jean-Noel Avila <jn.avila@free.fr>
2015-09-17Update RelNotes to 2.6Libravatar Junio C Hamano1-0/+5
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-17Sync with 2.5.3Libravatar Junio C Hamano2-1/+19
* maint: Git 2.5.3
2015-09-17Merge branch 'po/doc-branch-desc'Libravatar Junio C Hamano4-4/+7
The branch descriptions that are set with "git branch --edit-description" option were used in many places but they weren't clearly documented. * po/doc-branch-desc: doc: show usage of branch description
2015-09-17Merge branch 'et/win32-poll-timeout'Libravatar Junio C Hamano1-2/+14
* et/win32-poll-timeout: poll: honor the timeout on Win32
2015-09-17Merge branch 'as/config-doc-markup-fix'Libravatar Junio C Hamano1-6/+6
* as/config-doc-markup-fix: Documentation/config: fix formatting for branch.*.rebase and pull.rebase
2015-09-17Git 2.5.3Libravatar Junio C Hamano4-3/+21
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-17Merge branch 'dt/untracked-subdir' into maintLibravatar Junio C Hamano2-32/+282
The experimental untracked-cache feature were buggy when paths with a few levels of subdirectories are involved. * dt/untracked-subdir: untracked cache: fix entry invalidation untracked-cache: fix subdirectory handling t7063: use --force-untracked-cache to speed up a bit untracked-cache: support sparse checkout
2015-09-17Merge branch 'br/svn-doc-include-paths-config' into maintLibravatar Junio C Hamano1-0/+3
* br/svn-doc-include-paths-config: git-svn doc: mention "svn-remote.<name>.include-paths"
2015-09-17Merge branch 'ah/submodule-typofix-in-error' into maintLibravatar Junio C Hamano1-1/+1
Error string fix. * ah/submodule-typofix-in-error: git-submodule: remove extraneous space from error message
2015-09-17Merge branch 'js/maint-am-skip-performance-regression' into maintLibravatar Junio C Hamano1-1/+1
* js/maint-am-skip-performance-regression: am --skip/--abort: merge HEAD/ORIG_HEAD tree into index
2015-09-16mailmap: update my entry with new email addressLibravatar Ramsay Jones1-1/+1
My 'demon' email address is no longer functional since, after 16+ years with demon, I have had to change my ISP. :( Also, take the opportunity to remove my middle name, which I only use on official documents (or in the GECOS field when creating a user account on unix). Signed-off-by: Ramsay Jones <ramsay@ramsayjones.plus.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-14Update RelNotes to 2.6 to describe leftover bits since -rc2Libravatar Junio C Hamano1-1/+7
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-14Merge branch 'js/maint-am-skip-performance-regression'Libravatar Junio C Hamano1-1/+1
Recent versions of scripted "git am" has a performance regression in "git am --skip" codepath, which no longer exists in the built-in version on the 'master' front. Fix the regression in the last scripted version that appear in 2.5.x maintenance track and older. * js/maint-am-skip-performance-regression: am --skip/--abort: merge HEAD/ORIG_HEAD tree into index
2015-09-14Merge branch 'ah/show-ref-usage-string'Libravatar Junio C Hamano1-1/+1
Both "git show-ref -h" and "git show-ref --help" illustrated that the "--exclude-existing" option makes the command read list of refs from its standard input. Change only the "show-ref -h" output to have a pair of "<>" around the placeholder that designate an input file, i.e. "git show-ref --exclude-existing < <ref-list>". * ah/show-ref-usage-string: show-ref: place angle brackets around variables in usage string
2015-09-14Merge branch 'sg/help-group'Libravatar Junio C Hamano1-1/+1
* sg/help-group: Makefile: use SHELL_PATH when running generate-cmdlist.sh
2015-09-14Merge branch 'rt/help-strings-fix'Libravatar Junio C Hamano3-3/+3
* rt/help-strings-fix: tag, update-ref: improve description of option "create-reflog" pull: don't mark values for option "rebase" for translation
2015-09-14Git 2.6-rc2Libravatar Junio C Hamano2-1/+9
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-14poll: honor the timeout on Win32Libravatar Edward Thomson1-2/+14
Ensure that when passing a pipe, the gnulib poll replacement will not return 0 before the timeout has passed. Not obeying the timeout (and merely returning 0) causes pathological behavior when preparing a packfile for a repository and taking a long time to do so. If poll were to return 0 immediately, this would cause keep-alives to get sent as quickly as possible until the packfile was created. Such deviance from the standard would cause megabytes (or more) of keep-alive packets to be sent. GetTickCount is used as it is efficient, stable and monotonically increasing. (Neither GetSystemTime nor QueryPerformanceCounter have all three of these properties.) Signed-off-by: Edward Thomson <ethomson@microsoft.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2015-09-14doc: show usage of branch descriptionLibravatar Philip Oakley4-4/+7
The branch description will be included in 'git format-patch --cover-letter' and in 'git pull-request' emails. It can also be used in the automatic merge message. Tell the reader. While here, clarify that the description may be a multi-line explanation of the purpose of the branch's patch series. Signed-off-by: Philip Oakley <philipoakley@iee.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>