From: Jeff King <peff@peff.net>
To: git@vger.kernel.org
Subject: [PATCH 02/23] parse_commit_buffer(): treat lookup_tree() failure as parse error
Date: Fri, 18 Oct 2019 00:43:29 -0400 [thread overview]
Message-ID: <20191018044328.GB17879@sigill.intra.peff.net> (raw)
In-Reply-To: <20191018044103.GA17625@sigill.intra.peff.net>
If parsing a commit yields a valid tree oid, but we've seen that same
oid as a non-tree in the same process, the resulting commit struct will
end up with a NULL tree pointer, but not otherwise report a parsing
failure.
That's perhaps convenient for callers which want to operate on even
partially corrupt commits (e.g., by still looking at the parents). But
it leaves a potential trap for most callers, who now have to manually
check for a NULL tree. Most do not, and it's likely that there are
possible segfaults lurking. I say "possible" because there are many
candidates, and I don't think it's worth following through on
reproducing them when we can just fix them all in one spot. And
certainly we _have_ seen real-world cases, such as the one fixed by
806278dead (commit-graph.c: handle corrupt/missing trees, 2019-09-05).
Note that we can't quite drop the check in the caller added by that
commit yet, as there's some subtlety with repeated parsings (which will
be addressed in a future commit).
Signed-off-by: Jeff King <peff@peff.net>
---
commit.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/commit.c b/commit.c
index 6467c9e175..810419a168 100644
--- a/commit.c
+++ b/commit.c
@@ -401,6 +401,7 @@ int parse_commit_buffer(struct repository *r, struct commit *item, const void *b
struct commit_graft *graft;
const int tree_entry_len = the_hash_algo->hexsz + 5;
const int parent_entry_len = the_hash_algo->hexsz + 7;
+ struct tree *tree;
if (item->object.parsed)
return 0;
@@ -412,7 +413,12 @@ int parse_commit_buffer(struct repository *r, struct commit *item, const void *b
if (get_oid_hex(bufptr + 5, &parent) < 0)
return error("bad tree pointer in commit %s",
oid_to_hex(&item->object.oid));
- set_commit_tree(item, lookup_tree(r, &parent));
+ tree = lookup_tree(r, &parent);
+ if (!tree)
+ return error("bad tree pointer %s in commit %s",
+ oid_to_hex(&parent),
+ oid_to_hex(&item->object.oid));
+ set_commit_tree(item, tree);
bufptr += tree_entry_len + 1; /* "tree " + "hex sha1" + "\n" */
pptr = &item->parents;
--
2.23.0.1228.gee29b05929
next prev parent reply other threads:[~2019-10-18 5:10 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-18 4:41 [PATCH 0/23] parsing and fsck cleanups Jeff King
2019-10-18 4:42 ` [PATCH 01/23] parse_commit_buffer(): treat lookup_commit() failure as parse error Jeff King
2019-10-24 3:37 ` Junio C Hamano
2019-10-24 18:01 ` Jeff King
2019-10-18 4:43 ` Jeff King [this message]
2019-10-24 23:12 ` [PATCH 02/23] parse_commit_buffer(): treat lookup_tree() " Jonathan Tan
2019-10-24 23:22 ` Jeff King
2019-10-18 4:45 ` [PATCH 03/23] parse_tag_buffer(): treat NULL tag pointer " Jeff King
2019-10-18 4:47 ` [PATCH 04/23] remember commit/tag parse failures Jeff King
2019-10-24 3:51 ` Junio C Hamano
2019-10-24 23:25 ` Jonathan Tan
2019-10-24 23:41 ` Jeff King
2019-10-18 4:48 ` [PATCH 05/23] fsck: stop checking commit->tree value Jeff King
2019-10-24 3:57 ` Junio C Hamano
2019-10-18 4:49 ` [PATCH 06/23] fsck: stop checking commit->parent counts Jeff King
2019-10-18 4:51 ` [PATCH 07/23] fsck: stop checking tag->tagged Jeff King
2019-10-18 4:54 ` [PATCH 08/23] fsck: require an actual buffer for non-blobs Jeff King
2019-10-18 4:56 ` [PATCH 09/23] fsck: unify object-name code Jeff King
2019-10-24 6:05 ` Junio C Hamano
2019-10-24 18:07 ` Jeff King
2019-10-25 3:23 ` Junio C Hamano
2019-10-25 21:20 ` Jeff King
2019-10-18 4:56 ` [PATCH 10/23] fsck_describe_object(): build on our get_object_name() primitive Jeff King
2019-10-24 6:06 ` Junio C Hamano
2019-10-18 4:57 ` [PATCH 11/23] fsck: use oids rather than objects for object_name API Jeff King
2019-10-18 4:58 ` [PATCH 12/23] fsck: don't require object structs for display functions Jeff King
2019-10-18 4:58 ` [PATCH 13/23] fsck: only provide oid/type in fsck_error callback Jeff King
2019-10-18 4:58 ` [PATCH 14/23] fsck: only require an oid for skiplist functions Jeff King
2019-10-18 4:59 ` [PATCH 15/23] fsck: don't require an object struct for report() Jeff King
2019-10-18 4:59 ` [PATCH 16/23] fsck: accept an oid instead of a "struct blob" for fsck_blob() Jeff King
2019-10-18 4:59 ` [PATCH 17/23] fsck: drop blob struct from fsck_finish() Jeff King
2019-10-18 5:00 ` [PATCH 18/23] fsck: don't require an object struct for fsck_ident() Jeff King
2019-10-18 5:00 ` [PATCH 19/23] fsck: don't require an object struct in verify_headers() Jeff King
2019-10-18 5:00 ` [PATCH 20/23] fsck: rename vague "oid" local variables Jeff King
2019-10-18 5:01 ` [PATCH 21/23] fsck: accept an oid instead of a "struct tag" for fsck_tag() Jeff King
2019-10-18 5:01 ` [PATCH 22/23] fsck: accept an oid instead of a "struct commit" for fsck_commit() Jeff King
2019-10-18 5:02 ` [PATCH 23/23] fsck: accept an oid instead of a "struct tree" for fsck_tree() Jeff King
2019-10-24 23:49 ` [PATCH 0/23] parsing and fsck cleanups Jonathan Tan
2019-10-25 3:11 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191018044328.GB17879@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).