Re: [RFC PATCH] unpack-trees: watch for out-of-range index position

From: Jeff King <peff@peff.net>
To: Emily Shaffer <emilyshaffer@google.com>
Cc: git@vger.kernel.org
Subject: Re: [RFC PATCH] unpack-trees: watch for out-of-range index position
Date: Wed, 8 Jan 2020 02:15:25 -0500	[thread overview]
Message-ID: <20200108071525.GB1675456@coredump.intra.peff.net> (raw)
In-Reply-To: <20200108023127.219429-1-emilyshaffer@google.com>

On Tue, Jan 07, 2020 at 06:31:27PM -0800, Emily Shaffer wrote:

> This issue came in via a bugreport from a user who had done some nasty
> things like deleting various files in .git/ (and then couldn't remember
> how they had done it). The concern was primarily that a segfault is ugly
> and scary, and possibly dangerous; I didn't see much problem with
> checking for index-out-of-range if the result is a fatal error
> regardless.
>
> [...]
>  	if (pos >= 0)
>  		BUG("This is a directory and should not exist in index");
>  	pos = -pos - 1;
> -	if (!starts_with(o->src_index->cache[pos]->name, name.buf) ||
> +	if (pos >= o->src_index->cache_nr ||
> +	    !starts_with(o->src_index->cache[pos]->name, name.buf) ||
>  	    (pos > 0 && starts_with(o->src_index->cache[pos-1]->name, name.buf)))
> -		BUG("pos must point at the first entry in this directory");
> +		BUG("pos %d doesn't point to the first entry of %s in index",
> +		    pos, name.buf);

The new condition you added looks correct to me. I suspect this BUG()
should not be a BUG() at all, though. It's not necessarily a logic error
inside Git, but as you showed it could indicate corrupt data we read
from disk. The true is probably same of the "pos >= 0" condition checked
above.

It's mostly an academic distinction, though, as I think it would be
pretty reasonable for now to just die() here (eventually, though, we
might want to turn it into an error return).

-Peff