[PATCH 1/5] diff --color-moved-ws: fix double free crash

[PATCH 1/5] diff --color-moved-ws: fix double free crash

[Phillip Wood]

From: Phillip Wood <phillip.wood@dunelm.org.uk>

Running
  git diff --color-moved-ws=allow-indentation-change v2.18.0 v2.19.0
results in a crash due to a double free. This happens when two
potential moved blocks start with consecutive lines. As
pmb_advance_or_null_multi_match() advances it copies the ws_delta from
the last matching line to the next. When the first of our consecutive
lines is advanced its ws_delta well be copied to the second,
overwriting the ws_delta of the block containing the second line. Then
when the second line is advanced it will copy the new ws_delta to the
line below it and so on. Eventually one of these blocks will stop
matching and the ws_delta will be freed. From then on the other block
is in a use-after-free state and when it stops matching it will try to
free the ws_delta that has already been freed by the other block.

The solution is to store the ws_delta in the array of potential moved
blocks rather than with the lines. This means that it no longer needs
to be copied around and one block cannot overwrite the ws_delta of
another. Additionally it saves some malloc/free calls as we don't keep
allocating and freeing ws_deltas.

Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
---
 diff.c | 73 +++++++++++++++++++++++++++++++++-------------------------
 1 file changed, 41 insertions(+), 32 deletions(-)

diff --git a/diff.c b/diff.c
index 9393993e33..5a08d64497 100644
--- a/diff.c
+++ b/diff.c
@@ -751,7 +751,6 @@ struct moved_entry {
 	struct hashmap_entry ent;
 	const struct emitted_diff_symbol *es;
 	struct moved_entry *next_line;
-	struct ws_delta *wsd;
 };
 
 /**
@@ -768,6 +767,17 @@ struct ws_delta {
 };
 #define WS_DELTA_INIT { NULL, 0 }
 
+struct moved_block {
+	struct moved_entry *match;
+	struct ws_delta wsd;
+};
+
+static void moved_block_clear(struct moved_block *b)
+{
+	FREE_AND_NULL(b->wsd.string);
+	b->match = NULL;
+}
+
 static int compute_ws_delta(const struct emitted_diff_symbol *a,
 			     const struct emitted_diff_symbol *b,
 			     struct ws_delta *out)
@@ -785,7 +795,7 @@ static int compute_ws_delta(const struct emitted_diff_symbol *a,
 static int cmp_in_block_with_wsd(const struct diff_options *o,
 				 const struct moved_entry *cur,
 				 const struct moved_entry *match,
-				 struct moved_entry *pmb,
+				 struct moved_block *pmb,
 				 int n)
 {
 	struct emitted_diff_symbol *l = &o->emitted_symbols->buf[n];
@@ -805,7 +815,7 @@ static int cmp_in_block_with_wsd(const struct diff_options *o,
 	if (strcmp(a, b))
 		return 1;
 
-	if (!pmb->wsd)
+	if (!pmb->wsd.string)
 		/*
 		 * No white space delta was carried forward? This can happen
 		 * when we exit early in this function and do not carry
@@ -822,8 +832,8 @@ static int cmp_in_block_with_wsd(const struct diff_options *o,
 	 * one of them for the white spaces, depending which was longer.
 	 */
 
-	wslen = strlen(pmb->wsd->string);
-	if (pmb->wsd->current_longer) {
+	wslen = strlen(pmb->wsd.string);
+	if (pmb->wsd.current_longer) {
 		c += wslen;
 		cl -= wslen;
 	} else {
@@ -873,7 +883,6 @@ static struct moved_entry *prepare_entry(struct diff_options *o,
 	ret->ent.hash = xdiff_hash_string(l->line, l->len, flags);
 	ret->es = l;
 	ret->next_line = NULL;
-	ret->wsd = NULL;
 
 	return ret;
 }
@@ -913,76 +922,72 @@ static void add_lines_to_move_detection(struct diff_options *o,
 static void pmb_advance_or_null(struct diff_options *o,
 				struct moved_entry *match,
 				struct hashmap *hm,
-				struct moved_entry **pmb,
+				struct moved_block *pmb,
 				int pmb_nr)
 {
 	int i;
 	for (i = 0; i < pmb_nr; i++) {
-		struct moved_entry *prev = pmb[i];
+		struct moved_entry *prev = pmb[i].match;
 		struct moved_entry *cur = (prev && prev->next_line) ?
 				prev->next_line : NULL;
 		if (cur && !hm->cmpfn(o, cur, match, NULL)) {
-			pmb[i] = cur;
+			pmb[i].match = cur;
 		} else {
-			pmb[i] = NULL;
+			pmb[i].match = NULL;
 		}
 	}
 }
 
 static void pmb_advance_or_null_multi_match(struct diff_options *o,
 					    struct moved_entry *match,
 					    struct hashmap *hm,
-					    struct moved_entry **pmb,
+					    struct moved_block *pmb,
 					    int pmb_nr, int n)
 {
 	int i;
 	char *got_match = xcalloc(1, pmb_nr);
 
 	for (; match; match = hashmap_get_next(hm, match)) {
 		for (i = 0; i < pmb_nr; i++) {
-			struct moved_entry *prev = pmb[i];
+			struct moved_entry *prev = pmb[i].match;
 			struct moved_entry *cur = (prev && prev->next_line) ?
 					prev->next_line : NULL;
 			if (!cur)
 				continue;
-			if (!cmp_in_block_with_wsd(o, cur, match, pmb[i], n))
+			if (!cmp_in_block_with_wsd(o, cur, match, &pmb[i], n))
 				got_match[i] |= 1;
 		}
 	}
 
 	for (i = 0; i < pmb_nr; i++) {
 		if (got_match[i]) {
 			/* Carry the white space delta forward */
-			pmb[i]->next_line->wsd = pmb[i]->wsd;
-			pmb[i] = pmb[i]->next_line;
+			pmb[i].match = pmb[i].match->next_line;
 		} else {
-			if (pmb[i]->wsd) {
-				free(pmb[i]->wsd->string);
-				FREE_AND_NULL(pmb[i]->wsd);
-			}
-			pmb[i] = NULL;
+			moved_block_clear(&pmb[i]);
 		}
 	}
 }
 
-static int shrink_potential_moved_blocks(struct moved_entry **pmb,
+static int shrink_potential_moved_blocks(struct moved_block *pmb,
 					 int pmb_nr)
 {
 	int lp, rp;
 
 	/* Shrink the set of potential block to the remaining running */
 	for (lp = 0, rp = pmb_nr - 1; lp <= rp;) {
-		while (lp < pmb_nr && pmb[lp])
+		while (lp < pmb_nr && pmb[lp].match)
 			lp++;
 		/* lp points at the first NULL now */
 
-		while (rp > -1 && !pmb[rp])
+		while (rp > -1 && !pmb[rp].match)
 			rp--;
 		/* rp points at the last non-NULL */
 
 		if (lp < pmb_nr && rp > -1 && lp < rp) {
 			pmb[lp] = pmb[rp];
-			pmb[rp] = NULL;
+			pmb[rp].match = NULL;
+			pmb[rp].wsd.string = NULL;
 			rp--;
 			lp++;
 		}
@@ -1029,7 +1034,7 @@ static void mark_color_as_moved(struct diff_options *o,
 				struct hashmap *add_lines,
 				struct hashmap *del_lines)
 {
-	struct moved_entry **pmb = NULL; /* potentially moved blocks */
+	struct moved_block *pmb = NULL; /* potentially moved blocks */
 	int pmb_nr = 0, pmb_alloc = 0;
 	int n, flipped_block = 1, block_length = 0;
 
@@ -1058,7 +1063,11 @@ static void mark_color_as_moved(struct diff_options *o,
 		}
 
 		if (!match) {
+			int i;
+
 			adjust_last_block(o, n, block_length);
+			for(i = 0; i < pmb_nr; i++)
+				moved_block_clear(&pmb[i]);
 			pmb_nr = 0;
 			block_length = 0;
 			continue;
@@ -1086,14 +1095,12 @@ static void mark_color_as_moved(struct diff_options *o,
 				ALLOC_GROW(pmb, pmb_nr + 1, pmb_alloc);
 				if (o->color_moved_ws_handling &
 				    COLOR_MOVED_WS_ALLOW_INDENTATION_CHANGE) {
-					struct ws_delta *wsd = xmalloc(sizeof(*match->wsd));
-					if (compute_ws_delta(l, match->es, wsd)) {
-						match->wsd = wsd;
-						pmb[pmb_nr++] = match;
-					} else
-						free(wsd);
+					if (compute_ws_delta(l, match->es,
+							     &pmb[pmb_nr].wsd))
+						pmb[pmb_nr++].match = match;
 				} else {
-					pmb[pmb_nr++] = match;
+					pmb[pmb_nr].wsd.string = NULL;
+					pmb[pmb_nr++].match = match;
 				}
 			}
 
@@ -1110,6 +1117,8 @@ static void mark_color_as_moved(struct diff_options *o,
 	}
 	adjust_last_block(o, n, block_length);
 
+	for(n = 0; n < pmb_nr; n++)
+		moved_block_clear(&pmb[n]);
 	free(pmb);
 }
 
-- 
2.19.0

[PATCH 2/5] diff --color-moved-ws: fix out of bounds string access

[Phillip Wood]

From: Phillip Wood <phillip.wood@dunelm.org.uk>

When adjusting the start of the string to take account of the change
in indentation the code was not checking that the string being
adjusted was in fact longer than the indentation change. This was
detected by asan.

Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
---
 diff.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/diff.c b/diff.c
index 5a08d64497..0096bdc339 100644
--- a/diff.c
+++ b/diff.c
@@ -841,7 +841,7 @@ static int cmp_in_block_with_wsd(const struct diff_options *o,
 		al -= wslen;
 	}
 
-	if (strcmp(a, c))
+	if (al < 0 || al != cl || memcmp(a, c, al))
 		return 1;
 
 	return 0;
-- 
2.19.0

[PATCH 3/5] diff --color-moved-ws: fix a memory leak

[Phillip Wood]

From: Phillip Wood <phillip.wood@dunelm.org.uk>

Don't duplicate the indentation string if we're not going to use it.
This was found with asan.

Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
---
 diff.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/diff.c b/diff.c
index 0096bdc339..efadd05c90 100644
--- a/diff.c
+++ b/diff.c
@@ -785,11 +785,15 @@ static int compute_ws_delta(const struct emitted_diff_symbol *a,
 	const struct emitted_diff_symbol *longer =  a->len > b->len ? a : b;
 	const struct emitted_diff_symbol *shorter = a->len > b->len ? b : a;
 	int d = longer->len - shorter->len;
+	int ret = !strncmp(longer->line + d, shorter->line, shorter->len);
+
+	if (!ret)
+		return ret;
 
 	out->string = xmemdupz(longer->line, d);
 	out->current_longer = (a == longer);
 
-	return !strncmp(longer->line + d, shorter->line, shorter->len);
+	return ret;
 }
 
 static int cmp_in_block_with_wsd(const struct diff_options *o,
-- 
2.19.0

[PATCH 4/5] diff --color-moved-ws: fix another memory leak

[Phillip Wood]

From: Phillip Wood <phillip.wood@dunelm.org.uk>

This is obvious in retrospect, it was found with asan.

Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
---
 diff.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/diff.c b/diff.c
index efadd05c90..4464feacf8 100644
--- a/diff.c
+++ b/diff.c
@@ -971,6 +971,8 @@ static void pmb_advance_or_null_multi_match(struct diff_options *o,
 			moved_block_clear(&pmb[i]);
 		}
 	}
+
+	free(got_match);
 }
 
 static int shrink_potential_moved_blocks(struct moved_block *pmb,
-- 
2.19.0

[PATCH 5/5] diff --color-moved: fix a memory leak

[Phillip Wood]

From: Phillip Wood <phillip.wood@dunelm.org.uk>

Free the hashmap items as well as the hashmap itself. This was found
with asan.

Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
---
 diff.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/diff.c b/diff.c
index 4464feacf8..94cc1b5592 100644
--- a/diff.c
+++ b/diff.c
@@ -5770,8 +5770,8 @@ static void diff_flush_patch_all_file_pairs(struct diff_options *o)
 			if (o->color_moved == COLOR_MOVED_ZEBRA_DIM)
 				dim_moved_lines(o);
 
-			hashmap_free(&add_lines, 0);
-			hashmap_free(&del_lines, 0);
+			hashmap_free(&add_lines, 1);
+			hashmap_free(&del_lines, 1);
 		}
 
 		for (i = 0; i < esm.nr; i++)
-- 
2.19.0

Re: [PATCH 1/5] diff --color-moved-ws: fix double free crash

[Stefan Beller]

On Tue, Oct 2, 2018 at 10:55 AM Phillip Wood <phillip.wood@talktalk.net> wrote:

> The solution is to store the ws_delta in the array of potential moved
> blocks rather than with the lines. This means that it no longer needs
> to be copied around and one block cannot overwrite the ws_delta of
> another. Additionally it saves some malloc/free calls as we don't keep
> allocating and freeing ws_deltas.

Another solution would be to duplicate the copy-arounds, that it only
fixes the double free, but having another layer of abstraction
(moved block vs line) makes sense as then we don't need to copy
it forward.

With this patch applied the diff as mentioned works and having the
ws deltas with the blocks instead of the

>
> Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>



>  static void pmb_advance_or_null_multi_match(struct diff_options *o,
[...]
>         for (i = 0; i < pmb_nr; i++) {
>                 if (got_match[i]) {
>                         /* Carry the white space delta forward */

I would think this comment is obsolete as well with this patch?

With or without that nit addressed, this patch is
Reviewed-by: Stefan Beller <sbeller@google.com>

Re: [PATCH 2/5] diff --color-moved-ws: fix out of bounds string access

[Stefan Beller]

On Tue, Oct 2, 2018 at 10:55 AM Phillip Wood <phillip.wood@talktalk.net> wrote:
>
> From: Phillip Wood <phillip.wood@dunelm.org.uk>
>
> When adjusting the start of the string to take account of the change
> in indentation the code was not checking that the string being
> adjusted was in fact longer than the indentation change. This was
> detected by asan.
>
> Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
> ---
>  diff.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/diff.c b/diff.c
> index 5a08d64497..0096bdc339 100644
> --- a/diff.c
> +++ b/diff.c
> @@ -841,7 +841,7 @@ static int cmp_in_block_with_wsd(const struct diff_options *o,
>                 al -= wslen;
>         }
>
> -       if (strcmp(a, c))
> +       if (al < 0 || al != cl || memcmp(a, c, al))

If (al < 0) then al != cl, so I would think we could drop the first
part, and only check with al != cl || memcmp

In theory we should use xdiff_compare_lines here
as the rest of the lines could have more white space issues,
but we catch that earlier via a die("color-moved-ws:
allow-indentation-change cannot be combined with other
white space modes"), so memcmp is fine.

Side note: There are comments above this code that seem
to be also obsolete after patch 1 ("...carried forward in
pmb->wsd; ...)

Re: [PATCH 3/5] diff --color-moved-ws: fix a memory leak

[Stefan Beller]

On Tue, Oct 2, 2018 at 10:55 AM Phillip Wood <phillip.wood@talktalk.net> wrote:
>
> From: Phillip Wood <phillip.wood@dunelm.org.uk>
>
> Don't duplicate the indentation string if we're not going to use it.
> This was found with asan.

Makes sense,

Thanks,
Stefan

With compute_ws_delta growing bigger here (and having only one caller),
I wonder if we want to pass 'match' instead of match->es (and pmb_nr),
such that the function can also take care of
    pmb[pmb_nr++].match = match;

Then the function is not a mere compute_ws_delta, but a whole
setup_new_pmb(...) thing. Undecided.

Re: [PATCH 4/5] diff --color-moved-ws: fix another memory leak

[Stefan Beller]

On Tue, Oct 2, 2018 at 10:55 AM Phillip Wood <phillip.wood@talktalk.net> wrote:
>
> From: Phillip Wood <phillip.wood@dunelm.org.uk>
>
> This is obvious in retrospect, it was found with asan.

Indeed. :/

Thanks,
Stefan

Re: [PATCH 5/5] diff --color-moved: fix a memory leak

[Stefan Beller]

On Tue, Oct 2, 2018 at 10:55 AM Phillip Wood <phillip.wood@talktalk.net> wrote:
>
> From: Phillip Wood <phillip.wood@dunelm.org.uk>
>
> Free the hashmap items as well as the hashmap itself. This was found
> with asan.
>
> Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
> ---
>  diff.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/diff.c b/diff.c
> index 4464feacf8..94cc1b5592 100644
> --- a/diff.c
> +++ b/diff.c
> @@ -5770,8 +5770,8 @@ static void diff_flush_patch_all_file_pairs(struct diff_options *o)
>                         if (o->color_moved == COLOR_MOVED_ZEBRA_DIM)
>                                 dim_moved_lines(o);
>
> -                       hashmap_free(&add_lines, 0);
> -                       hashmap_free(&del_lines, 0);
> +                       hashmap_free(&add_lines, 1);
> +                       hashmap_free(&del_lines, 1);

And this is sufficient as the entries themselves are
moved_entry, which only contain pointers (to
o->emitted_symbols), which are freed later.
There is nothing in there that needs extra free-ing.

Thanks,
Stefan

Re: [PATCH 1/5] diff --color-moved-ws: fix double free crash

[Phillip Wood]

Hi Stefan

Thanks for looking at these patches

On 02/10/2018 19:49, Stefan Beller wrote:
> On Tue, Oct 2, 2018 at 10:55 AM Phillip Wood <phillip.wood@talktalk.net> wrote:
> 
>> The solution is to store the ws_delta in the array of potential moved
>> blocks rather than with the lines. This means that it no longer needs
>> to be copied around and one block cannot overwrite the ws_delta of
>> another. Additionally it saves some malloc/free calls as we don't keep
>> allocating and freeing ws_deltas.
> 
> Another solution would be to duplicate the copy-arounds, that it only
> fixes the double free, but having another layer of abstraction
> (moved block vs line) makes sense as then we don't need to copy
> it forward.
> 
> With this patch applied the diff as mentioned works and having the
> ws deltas with the blocks instead of the
> 
>>
>> Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
> 
> 
> 
>>  static void pmb_advance_or_null_multi_match(struct diff_options *o,
> [...]
>>         for (i = 0; i < pmb_nr; i++) {
>>                 if (got_match[i]) {
>>                         /* Carry the white space delta forward */
> 
> I would think this comment is obsolete as well with this patch?

Yes you're right I should have removed that. As there are some changes
needed to some other comments I'll re-roll

Best Wishes

Phillip

> 
> With or without that nit addressed, this patch is
> Reviewed-by: Stefan Beller <sbeller@google.com>
> 

Re: [PATCH 2/5] diff --color-moved-ws: fix out of bounds string access

[Phillip Wood]

On 02/10/2018 19:58, Stefan Beller wrote:
> On Tue, Oct 2, 2018 at 10:55 AM Phillip Wood <phillip.wood@talktalk.net> wrote:
>>
>> From: Phillip Wood <phillip.wood@dunelm.org.uk>
>>
>> When adjusting the start of the string to take account of the change
>> in indentation the code was not checking that the string being
>> adjusted was in fact longer than the indentation change. This was
>> detected by asan.
>>
>> Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
>> ---
>>  diff.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/diff.c b/diff.c
>> index 5a08d64497..0096bdc339 100644
>> --- a/diff.c
>> +++ b/diff.c
>> @@ -841,7 +841,7 @@ static int cmp_in_block_with_wsd(const struct diff_options *o,
>>                 al -= wslen;
>>         }
>>
>> -       if (strcmp(a, c))
>> +       if (al < 0 || al != cl || memcmp(a, c, al))
> 
> If (al < 0) then al != cl, so I would think we could drop the first
> part, and only check with al != cl || memcmp

Yes, I couldn't make up my mind weather to add the al < 0 or not but of
course only one of the lengths can ever be negative, I'll remove it

> In theory we should use xdiff_compare_lines here
> as the rest of the lines could have more white space issues,
> but we catch that earlier via a die("color-moved-ws:
> allow-indentation-change cannot be combined with other
> white space modes"), so memcmp is fine.
> 
> Side note: There are comments above this code that seem
> to be also obsolete after patch 1 ("...carried forward in
> pmb->wsd; ...)

Good point I'll go through the comments and update them

Best Wishes

Phillip

Re: [PATCH 3/5] diff --color-moved-ws: fix a memory leak

[Phillip Wood]

On 02/10/2018 20:08, Stefan Beller wrote:
> On Tue, Oct 2, 2018 at 10:55 AM Phillip Wood <phillip.wood@talktalk.net> wrote:
>>
>> From: Phillip Wood <phillip.wood@dunelm.org.uk>
>>
>> Don't duplicate the indentation string if we're not going to use it.
>> This was found with asan.
> 
> Makes sense,
> 
> Thanks,
> Stefan
> 
> With compute_ws_delta growing bigger here (and having only one caller),
> I wonder if we want to pass 'match' instead of match->es (and pmb_nr),
> such that the function can also take care of
>     pmb[pmb_nr++].match = match;

Wouldn't we still need to increment pmb_nr in the caller though, in
which case I'm not sure it saves much.

> Then the function is not a mere compute_ws_delta, but a whole
> setup_new_pmb(...) thing. Undecided.
> 

Re: [PATCH 3/5] diff --color-moved-ws: fix a memory leak

[Martin Ågren]

On Tue, 2 Oct 2018 at 20:04, Phillip Wood <phillip.wood@talktalk.net> wrote:
>         const struct emitted_diff_symbol *longer =  a->len > b->len ? a : b;
>         const struct emitted_diff_symbol *shorter = a->len > b->len ? b : a;
>         int d = longer->len - shorter->len;
> +       int ret = !strncmp(longer->line + d, shorter->line, shorter->len);
> +
> +       if (!ret)
> +               return ret;
>
>         out->string = xmemdupz(longer->line, d);
>         out->current_longer = (a == longer);
>
> -       return !strncmp(longer->line + d, shorter->line, shorter->len);
> +       return ret;
>  }

The caller only cares about 0 vs non-0, so this would also work:

   if (strncmp(...))
           return 0;

   ...

   return 1;

Just a thought, to avoid some "!"s and the new variable `ret`.

Martin

[PATCH v2 0/5] diff --color-moved-ws: fix double free crash

[Phillip Wood]

From: Phillip Wood <phillip.wood@dunelm.org.uk>

Thanks to Stefan and Martin for their comments on v1. This version has
some small changes to patches 1-3 based on that feedback - see the
individual patches for what has changed.

Phillip Wood (5):
  diff --color-moved-ws: fix double free crash
  diff --color-moved-ws: fix out of bounds string access
  diff --color-moved-ws: fix a memory leak
  diff --color-moved-ws: fix another memory leak
  diff --color-moved: fix a memory leak

 diff.c | 95 +++++++++++++++++++++++++++++++++-------------------------
 1 file changed, 54 insertions(+), 41 deletions(-)

-- 
2.19.0

[PATCH v2 1/5] diff --color-moved-ws: fix double free crash

[Phillip Wood]

From: Phillip Wood <phillip.wood@dunelm.org.uk>

Running
  git diff --color-moved-ws=allow-indentation-change v2.18.0 v2.19.0
results in a crash due to a double free. This happens when two
potential moved blocks start with consecutive lines. As
pmb_advance_or_null_multi_match() advances it copies the ws_delta from
the last matching line to the next. When the first of our consecutive
lines is advanced its ws_delta well be copied to the second,
overwriting the ws_delta of the block containing the second line. Then
when the second line is advanced it will copy the new ws_delta to the
line below it and so on. Eventually one of these blocks will stop
matching and the ws_delta will be freed. From then on the other block
is in a use-after-free state and when it stops matching it will try to
free the ws_delta that has already been freed by the other block.

The solution is to store the ws_delta in the array of potential moved
blocks rather than with the lines. This means that it no longer needs
to be copied around and one block cannot overwrite the ws_delta of
another. Additionally it saves some malloc/free calls as we don't keep
allocating and freeing ws_deltas.

Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
---

Notes:
    This applies on top of fab01ec52e ("diff: fix
    --color-moved-ws=allow-indentation-change", 2018-09-04). Note that the
    crash happens with or without that patch, but the mechanism is
    slightly different without it.
    
    Changes since v1:
     - updated comments to match new implementation.

 diff.c | 82 ++++++++++++++++++++++++++++++++--------------------------
 1 file changed, 45 insertions(+), 37 deletions(-)

diff --git a/diff.c b/diff.c
index 9393993e33..02d885f039 100644
--- a/diff.c
+++ b/diff.c
@@ -751,7 +751,6 @@ struct moved_entry {
 	struct hashmap_entry ent;
 	const struct emitted_diff_symbol *es;
 	struct moved_entry *next_line;
-	struct ws_delta *wsd;
 };
 
 /**
@@ -768,6 +767,17 @@ struct ws_delta {
 };
 #define WS_DELTA_INIT { NULL, 0 }
 
+struct moved_block {
+	struct moved_entry *match;
+	struct ws_delta wsd;
+};
+
+static void moved_block_clear(struct moved_block *b)
+{
+	FREE_AND_NULL(b->wsd.string);
+	b->match = NULL;
+}
+
 static int compute_ws_delta(const struct emitted_diff_symbol *a,
 			     const struct emitted_diff_symbol *b,
 			     struct ws_delta *out)
@@ -785,7 +795,7 @@ static int compute_ws_delta(const struct emitted_diff_symbol *a,
 static int cmp_in_block_with_wsd(const struct diff_options *o,
 				 const struct moved_entry *cur,
 				 const struct moved_entry *match,
-				 struct moved_entry *pmb,
+				 struct moved_block *pmb,
 				 int n)
 {
 	struct emitted_diff_symbol *l = &o->emitted_symbols->buf[n];
@@ -805,25 +815,24 @@ static int cmp_in_block_with_wsd(const struct diff_options *o,
 	if (strcmp(a, b))
 		return 1;
 
-	if (!pmb->wsd)
+	if (!pmb->wsd.string)
 		/*
-		 * No white space delta was carried forward? This can happen
-		 * when we exit early in this function and do not carry
-		 * forward ws.
+		 * The white space delta is not active? This can happen
+		 * when we exit early in this function.
 		 */
 		return 1;
 
 	/*
-	 * The indent changes of the block are known and carried forward in
+	 * The indent changes of the block are known and stored in
 	 * pmb->wsd; however we need to check if the indent changes of the
 	 * current line are still the same as before.
 	 *
 	 * To do so we need to compare 'l' to 'cur', adjusting the
 	 * one of them for the white spaces, depending which was longer.
 	 */
 
-	wslen = strlen(pmb->wsd->string);
-	if (pmb->wsd->current_longer) {
+	wslen = strlen(pmb->wsd.string);
+	if (pmb->wsd.current_longer) {
 		c += wslen;
 		cl -= wslen;
 	} else {
@@ -873,7 +882,6 @@ static struct moved_entry *prepare_entry(struct diff_options *o,
 	ret->ent.hash = xdiff_hash_string(l->line, l->len, flags);
 	ret->es = l;
 	ret->next_line = NULL;
-	ret->wsd = NULL;
 
 	return ret;
 }
@@ -913,76 +921,72 @@ static void add_lines_to_move_detection(struct diff_options *o,
 static void pmb_advance_or_null(struct diff_options *o,
 				struct moved_entry *match,
 				struct hashmap *hm,
-				struct moved_entry **pmb,
+				struct moved_block *pmb,
 				int pmb_nr)
 {
 	int i;
 	for (i = 0; i < pmb_nr; i++) {
-		struct moved_entry *prev = pmb[i];
+		struct moved_entry *prev = pmb[i].match;
 		struct moved_entry *cur = (prev && prev->next_line) ?
 				prev->next_line : NULL;
 		if (cur && !hm->cmpfn(o, cur, match, NULL)) {
-			pmb[i] = cur;
+			pmb[i].match = cur;
 		} else {
-			pmb[i] = NULL;
+			pmb[i].match = NULL;
 		}
 	}
 }
 
 static void pmb_advance_or_null_multi_match(struct diff_options *o,
 					    struct moved_entry *match,
 					    struct hashmap *hm,
-					    struct moved_entry **pmb,
+					    struct moved_block *pmb,
 					    int pmb_nr, int n)
 {
 	int i;
 	char *got_match = xcalloc(1, pmb_nr);
 
 	for (; match; match = hashmap_get_next(hm, match)) {
 		for (i = 0; i < pmb_nr; i++) {
-			struct moved_entry *prev = pmb[i];
+			struct moved_entry *prev = pmb[i].match;
 			struct moved_entry *cur = (prev && prev->next_line) ?
 					prev->next_line : NULL;
 			if (!cur)
 				continue;
-			if (!cmp_in_block_with_wsd(o, cur, match, pmb[i], n))
+			if (!cmp_in_block_with_wsd(o, cur, match, &pmb[i], n))
 				got_match[i] |= 1;
 		}
 	}
 
 	for (i = 0; i < pmb_nr; i++) {
 		if (got_match[i]) {
-			/* Carry the white space delta forward */
-			pmb[i]->next_line->wsd = pmb[i]->wsd;
-			pmb[i] = pmb[i]->next_line;
+			/* Advance to the next line */
+			pmb[i].match = pmb[i].match->next_line;
 		} else {
-			if (pmb[i]->wsd) {
-				free(pmb[i]->wsd->string);
-				FREE_AND_NULL(pmb[i]->wsd);
-			}
-			pmb[i] = NULL;
+			moved_block_clear(&pmb[i]);
 		}
 	}
 }
 
-static int shrink_potential_moved_blocks(struct moved_entry **pmb,
+static int shrink_potential_moved_blocks(struct moved_block *pmb,
 					 int pmb_nr)
 {
 	int lp, rp;
 
 	/* Shrink the set of potential block to the remaining running */
 	for (lp = 0, rp = pmb_nr - 1; lp <= rp;) {
-		while (lp < pmb_nr && pmb[lp])
+		while (lp < pmb_nr && pmb[lp].match)
 			lp++;
 		/* lp points at the first NULL now */
 
-		while (rp > -1 && !pmb[rp])
+		while (rp > -1 && !pmb[rp].match)
 			rp--;
 		/* rp points at the last non-NULL */
 
 		if (lp < pmb_nr && rp > -1 && lp < rp) {
 			pmb[lp] = pmb[rp];
-			pmb[rp] = NULL;
+			pmb[rp].match = NULL;
+			pmb[rp].wsd.string = NULL;
 			rp--;
 			lp++;
 		}
@@ -1029,7 +1033,7 @@ static void mark_color_as_moved(struct diff_options *o,
 				struct hashmap *add_lines,
 				struct hashmap *del_lines)
 {
-	struct moved_entry **pmb = NULL; /* potentially moved blocks */
+	struct moved_block *pmb = NULL; /* potentially moved blocks */
 	int pmb_nr = 0, pmb_alloc = 0;
 	int n, flipped_block = 1, block_length = 0;
 
@@ -1058,7 +1062,11 @@ static void mark_color_as_moved(struct diff_options *o,
 		}
 
 		if (!match) {
+			int i;
+
 			adjust_last_block(o, n, block_length);
+			for(i = 0; i < pmb_nr; i++)
+				moved_block_clear(&pmb[i]);
 			pmb_nr = 0;
 			block_length = 0;
 			continue;
@@ -1086,14 +1094,12 @@ static void mark_color_as_moved(struct diff_options *o,
 				ALLOC_GROW(pmb, pmb_nr + 1, pmb_alloc);
 				if (o->color_moved_ws_handling &
 				    COLOR_MOVED_WS_ALLOW_INDENTATION_CHANGE) {
-					struct ws_delta *wsd = xmalloc(sizeof(*match->wsd));
-					if (compute_ws_delta(l, match->es, wsd)) {
-						match->wsd = wsd;
-						pmb[pmb_nr++] = match;
-					} else
-						free(wsd);
+					if (compute_ws_delta(l, match->es,
+							     &pmb[pmb_nr].wsd))
+						pmb[pmb_nr++].match = match;
 				} else {
-					pmb[pmb_nr++] = match;
+					pmb[pmb_nr].wsd.string = NULL;
+					pmb[pmb_nr++].match = match;
 				}
 			}
 
@@ -1110,6 +1116,8 @@ static void mark_color_as_moved(struct diff_options *o,
 	}
 	adjust_last_block(o, n, block_length);
 
+	for(n = 0; n < pmb_nr; n++)
+		moved_block_clear(&pmb[n]);
 	free(pmb);
 }
 
-- 
2.19.0

[PATCH v2 2/5] diff --color-moved-ws: fix out of bounds string access

[Phillip Wood]

From: Phillip Wood <phillip.wood@dunelm.org.uk>

When adjusting the start of the string to take account of the change
in indentation the code was not checking that the string being
adjusted was in fact longer than the indentation change. This was
detected by asan.

Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
---

Notes:
    Changes since v1:
     - simplified comparison as suggested by Stefan

 diff.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/diff.c b/diff.c
index 02d885f039..e492f8b74f 100644
--- a/diff.c
+++ b/diff.c
@@ -840,7 +840,7 @@ static int cmp_in_block_with_wsd(const struct diff_options *o,
 		al -= wslen;
 	}
 
-	if (strcmp(a, c))
+	if (al != cl || memcmp(a, c, al))
 		return 1;
 
 	return 0;
-- 
2.19.0

[PATCH v2 3/5] diff --color-moved-ws: fix a memory leak

[Phillip Wood]

From: Phillip Wood <phillip.wood@dunelm.org.uk>

Don't duplicate the indentation string if we're not going to use it.
This was found with asan.

Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
---

Notes:
    Changes since v1:
     - simplified code as suggested by Martin Ågren

 diff.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/diff.c b/diff.c
index e492f8b74f..9bf41bad0d 100644
--- a/diff.c
+++ b/diff.c
@@ -786,10 +786,13 @@ static int compute_ws_delta(const struct emitted_diff_symbol *a,
 	const struct emitted_diff_symbol *shorter = a->len > b->len ? b : a;
 	int d = longer->len - shorter->len;
 
+	if (strncmp(longer->line + d, shorter->line, shorter->len))
+		return 0;
+
 	out->string = xmemdupz(longer->line, d);
 	out->current_longer = (a == longer);
 
-	return !strncmp(longer->line + d, shorter->line, shorter->len);
+	return 1;
 }
 
 static int cmp_in_block_with_wsd(const struct diff_options *o,
-- 
2.19.0

[PATCH v2 4/5] diff --color-moved-ws: fix another memory leak

[Phillip Wood]

From: Phillip Wood <phillip.wood@dunelm.org.uk>

This is obvious in retrospect, it was found with asan.

Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
---
 diff.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/diff.c b/diff.c
index 9bf41bad0d..69f6309db6 100644
--- a/diff.c
+++ b/diff.c
@@ -969,6 +969,8 @@ static void pmb_advance_or_null_multi_match(struct diff_options *o,
 			moved_block_clear(&pmb[i]);
 		}
 	}
+
+	free(got_match);
 }
 
 static int shrink_potential_moved_blocks(struct moved_block *pmb,
-- 
2.19.0

[PATCH v2 5/5] diff --color-moved: fix a memory leak

[Phillip Wood]

From: Phillip Wood <phillip.wood@dunelm.org.uk>

Free the hashmap items as well as the hashmap itself. This was found
with asan.

Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>
---
 diff.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/diff.c b/diff.c
index 69f6309db6..100d24b9c4 100644
--- a/diff.c
+++ b/diff.c
@@ -5768,8 +5768,8 @@ static void diff_flush_patch_all_file_pairs(struct diff_options *o)
 			if (o->color_moved == COLOR_MOVED_ZEBRA_DIM)
 				dim_moved_lines(o);
 
-			hashmap_free(&add_lines, 0);
-			hashmap_free(&del_lines, 0);
+			hashmap_free(&add_lines, 1);
+			hashmap_free(&del_lines, 1);
 		}
 
 		for (i = 0; i < esm.nr; i++)
-- 
2.19.0

Re: [PATCH v2 5/5] diff --color-moved: fix a memory leak

[Stefan Beller]

On Thu, Oct 4, 2018 at 3:07 AM Phillip Wood <phillip.wood@talktalk.net> wrote:
>
> From: Phillip Wood <phillip.wood@dunelm.org.uk>
>
> Free the hashmap items as well as the hashmap itself. This was found
> with asan.
>
> Signed-off-by: Phillip Wood <phillip.wood@dunelm.org.uk>

Thanks for this series, all 5 patches are

Reviewed-by: Stefan Beller <sbeller@google.com>