1. 23 Feb, 2022 1 commit
  2. 01 Dec, 2021 1 commit
    • object: return GIT_EINVALID on parse errors · fc1a3f45
      Return `GIT_EINVALID` on parse errors so that direct callers of parse
      functions can determine when there was a failure to parse the object.
      
      The object parser functions will swallow this error code to prevent it
      from propagating down the chain to end-users.  (`git_merge` should not
      return `GIT_EINVALID` when a commit it tries to look up is not valid,
      this would be too vague to be useful.)
      
      The only public function that this affects is
      `git_signature_from_buffer`, which is now documented as returning
      `GIT_EINVALID` when appropriate.
      Edward Thomson committed
  3. 25 Nov, 2021 1 commit
  4. 17 Oct, 2021 1 commit
    • str: introduce `git_str` for internal, `git_buf` is external · f0e693b1
      libgit2 has two distinct requirements that were previously solved by
      `git_buf`.  We require:
      
      1. A general purpose string class that provides a number of utility APIs
         for manipulating data (eg, concatenating, truncating, etc).
      2. A structure that we can use to return strings to callers that they
         can take ownership of.
      
      By using a single class (`git_buf`) for both of these purposes, we have
      confused the API to the point that refactorings are difficult and
      reasoning about correctness is also difficult.
      
      Move the utility class `git_buf` to be called `git_str`: this represents
      its general purpose, as an internal string buffer class.  The name also
      is an homage to Junio Hamano ("gitstr").
      
      The public API remains `git_buf`, and has a much smaller footprint.  It
      is generally only used as an "out" param with strict requirements that
      follow the documentation.  (Exceptions exist for some legacy APIs to
      avoid breaking callers unnecessarily.)
      
      Utility functions exist to convert a user-specified `git_buf` to a
      `git_str` so that we can call internal functions, then converting it
      back again.
      Edward Thomson committed
  5. 27 Nov, 2020 1 commit
  6. 15 Jan, 2020 1 commit
  7. 30 Oct, 2019 1 commit
  8. 03 Oct, 2019 1 commit
  9. 07 Aug, 2019 1 commit
  10. 02 Jul, 2019 1 commit
  11. 22 Jan, 2019 1 commit
  12. 01 Dec, 2018 1 commit
  13. 21 Nov, 2018 1 commit
    • commit: fix out-of-bound reads when parsing truncated author fields · cb23c3ef
      While commit objects usually should have only one author field, our commit
      parser actually handles the case where a commit has multiple author fields
      because some tools that exist in the wild actually write them. Detection of
      those additional author fields is done by using a simple `git__prefixcmp`,
      checking whether the current line starts with the string "author ". In case
      where we are handed a non-NUL-terminated string that ends directly after the
      space, though, we may have an out-of-bounds read of one byte when trying to
      compare the expected final NUL byte.
      
      Fix the issue by using `git__prefixncmp` instead of `git_prefixcmp`.
      Unfortunately, a test cannot be easily written to catch this case. While we
      could test the last error message and verify that it didn't in fact fail parsing
      a signature (because that would indicate that it has in fact tried to parse the
      additional "author " field, which it shouldn't be able to detect in the first
      place), this doesn't work as the next line needs to be the "committer" field,
      which would error out with the same error message even if we hadn't done an
      out-of-bounds read.
      
      As objects read from the object database are always NUL terminated, this issue
      cannot be triggered in normal code and thus it's not security critical.
      Patrick Steinhardt committed
  14. 25 Oct, 2018 1 commit
    • commit: fix reading out of bounds when parsing encoding · 7655b2d8
      The commit message encoding is currently being parsed by the
      `git__prefixcmp` function. As this function does not accept a buffer
      length, it will happily skip over a buffer's end if it is not `NUL`
      terminated.
      
      Fix the issue by using `git__prefixncmp` instead. Add a test that
      verifies that we are unable to parse the encoding field if it's cut off
      by the supplied buffer length.
      Patrick Steinhardt committed
  15. 22 Jun, 2018 1 commit
    • commit: implement function to parse raw data · ab265a35
      Currently, parsing objects is strictly tied to having an ODB object
      available. This makes it hard to parse an object when all that is
      available is its raw object and size. Furthermore, hacking around that
      limitation by directly creating an ODB structure either on stack or on
      heap does not really work that well due to ODB objects being reference
      counted and then automatically free'd when reaching a reference count of
      zero.
      
      Implement a function `git_commit__parse_raw` to parse a commit object
      from a pair of `data` and `size`.
      Patrick Steinhardt committed
  16. 15 Jun, 2018 2 commits
  17. 10 Jun, 2018 1 commit
  18. 03 Jul, 2017 1 commit
    • Make sure to always include "common.h" first · 0c7f49dd
      Next to including several files, our "common.h" header also declares
      various macros which are then used throughout the project. As such, we
      have to make sure to always include this file first in all
      implementation files. Otherwise, we might encounter problems or even
      silent behavioural differences due to macros or defines not being
      defined as they should be. So in fact, our header and implementation
      files should make sure to always include "common.h" first.
      
      This commit does so by establishing a common include pattern. Header
      files inside of "src" will now always include "common.h" as its first
      other file, separated by a newline from all the other includes to make
      it stand out as special. There are two cases for the implementation
      files. If they do have a matching header file, they will always include
      this one first, leading to "common.h" being transitively included as
      first file. If they do not have a matching header file, they instead
      include "common.h" as first file themselves.
      
      This fixes the outlined problems and will become our standard practice
      for header and source files inside of the "src/" from now on.
      Patrick Steinhardt committed
  19. 03 Mar, 2017 1 commit
  20. 13 Feb, 2017 2 commits
    • commit: avoid possible use-after-free · ade0d9c6
      When extracting a commit's signature, we first free the object and only
      afterwards put its signature contents into the result buffer. This works
      in most cases - the free'd object will normally be cached anyway, so we
      only end up decrementing its reference count without actually freeing
      its contents. But in some more exotic setups, where caching is disabled,
      this can definitly be a problem, as we might be the only instance
      currently holding a reference to this object.
      
      Fix this issue by first extracting the contents and freeing the object
      afterwards only.
      Patrick Steinhardt committed
    • commit: clear user-provided buffers · dc851d9e
      The functions `git_commit_header_field` and
      `git_commit_extract_signature` both receive buffers used to hand back
      the results to the user. While these functions called `git_buf_sanitize`
      on these buffers, this is not the right thing to do, as it will simply
      initialize or zero-terminate passed buffers. As we want to overwrite
      contents, we instead have to call `git_buf_clear` to completely reset
      them.
      Patrick Steinhardt committed
  21. 29 Dec, 2016 1 commit
  22. 09 Oct, 2016 1 commit
    • commit: always initialize commit message · a719ef5e
      When parsing a commit, we will treat all bytes left after parsing
      the headers as the commit message. When no bytes are left, we
      leave the commit's message uninitialized. While uncommon to have
      a commit without message, this is the right behavior as Git
      unfortunately allows for empty commit messages.
      
      Given that this scenario is so uncommon, most programs acting on
      the commit message will never check if the message is actually
      set, which may lead to errors. To work around the error and not
      lay the burden of checking for empty commit messages to the
      developer, initialize the commit message with an empty string
      when no commit message is given.
      Patrick Steinhardt committed
  23. 01 Jun, 2016 1 commit
  24. 03 May, 2016 1 commit
  25. 23 Mar, 2016 1 commit
  26. 17 Mar, 2016 1 commit
  27. 15 Mar, 2016 1 commit
  28. 08 Mar, 2016 1 commit
  29. 28 Feb, 2016 1 commit
  30. 16 Feb, 2016 1 commit
  31. 11 Feb, 2016 1 commit
    • commit: don't forget the last header field · 460ae11f
      When we moved the logic to handle the first one, wrong loop logic was
      kept in place which meant we still finished early. But we now notice it
      because we're not reading past the last LF we find.
      
      This was not noticed before as the last field in the tested commit was
      multi-line which does not trigger the early break.
      Carlos Martín Nieto committed
  32. 09 Feb, 2016 2 commits
  33. 01 Dec, 2015 1 commit
  34. 03 Nov, 2015 1 commit
  35. 22 Jun, 2015 1 commit
  36. 11 Jun, 2015 1 commit
    • commit: ignore multiple author fields · 65d69fe8
      Some tools create multiple author fields. git is rather lax when parsing
      them, although fsck does complain about them. This means that they exist
      in the wild.
      
      As it's not too taxing to check for them, and there shouldn't be a
      noticeable slowdown when dealing with correct commits, add logic to skip
      over these extra fields when parsing the commit.
      Carlos Martín Nieto committed
  37. 03 Mar, 2015 1 commit
    • Remove the signature from ref-modifying functions · 659cf202
      The signature for the reflog is not something which changes
      dynamically. Almost all uses will be NULL, since we want for the
      repository's default identity to be used, making it noise.
      
      In order to allow for changing the identity, we instead provide
      git_repository_set_ident() and git_repository_ident() which allow a user
      to override the choice of signature.
      Carlos Martín Nieto committed