1. 07 Aug, 2019 1 commit
  2. 02 Jul, 2019 1 commit
  3. 22 Jan, 2019 1 commit
  4. 01 Dec, 2018 1 commit
  5. 21 Nov, 2018 1 commit
    • commit: fix out-of-bound reads when parsing truncated author fields · cb23c3ef
      While commit objects usually should have only one author field, our commit
      parser actually handles the case where a commit has multiple author fields
      because some tools that exist in the wild actually write them. Detection of
      those additional author fields is done by using a simple `git__prefixcmp`,
      checking whether the current line starts with the string "author ". In case
      where we are handed a non-NUL-terminated string that ends directly after the
      space, though, we may have an out-of-bounds read of one byte when trying to
      compare the expected final NUL byte.
      
      Fix the issue by using `git__prefixncmp` instead of `git_prefixcmp`.
      Unfortunately, a test cannot be easily written to catch this case. While we
      could test the last error message and verify that it didn't in fact fail parsing
      a signature (because that would indicate that it has in fact tried to parse the
      additional "author " field, which it shouldn't be able to detect in the first
      place), this doesn't work as the next line needs to be the "committer" field,
      which would error out with the same error message even if we hadn't done an
      out-of-bounds read.
      
      As objects read from the object database are always NUL terminated, this issue
      cannot be triggered in normal code and thus it's not security critical.
      Patrick Steinhardt committed
  6. 25 Oct, 2018 1 commit
    • commit: fix reading out of bounds when parsing encoding · 7655b2d8
      The commit message encoding is currently being parsed by the
      `git__prefixcmp` function. As this function does not accept a buffer
      length, it will happily skip over a buffer's end if it is not `NUL`
      terminated.
      
      Fix the issue by using `git__prefixncmp` instead. Add a test that
      verifies that we are unable to parse the encoding field if it's cut off
      by the supplied buffer length.
      Patrick Steinhardt committed
  7. 22 Jun, 2018 1 commit
    • commit: implement function to parse raw data · ab265a35
      Currently, parsing objects is strictly tied to having an ODB object
      available. This makes it hard to parse an object when all that is
      available is its raw object and size. Furthermore, hacking around that
      limitation by directly creating an ODB structure either on stack or on
      heap does not really work that well due to ODB objects being reference
      counted and then automatically free'd when reaching a reference count of
      zero.
      
      Implement a function `git_commit__parse_raw` to parse a commit object
      from a pair of `data` and `size`.
      Patrick Steinhardt committed
  8. 15 Jun, 2018 2 commits
  9. 10 Jun, 2018 1 commit
  10. 03 Jul, 2017 1 commit
    • Make sure to always include "common.h" first · 0c7f49dd
      Next to including several files, our "common.h" header also declares
      various macros which are then used throughout the project. As such, we
      have to make sure to always include this file first in all
      implementation files. Otherwise, we might encounter problems or even
      silent behavioural differences due to macros or defines not being
      defined as they should be. So in fact, our header and implementation
      files should make sure to always include "common.h" first.
      
      This commit does so by establishing a common include pattern. Header
      files inside of "src" will now always include "common.h" as its first
      other file, separated by a newline from all the other includes to make
      it stand out as special. There are two cases for the implementation
      files. If they do have a matching header file, they will always include
      this one first, leading to "common.h" being transitively included as
      first file. If they do not have a matching header file, they instead
      include "common.h" as first file themselves.
      
      This fixes the outlined problems and will become our standard practice
      for header and source files inside of the "src/" from now on.
      Patrick Steinhardt committed
  11. 03 Mar, 2017 1 commit
  12. 13 Feb, 2017 2 commits
    • commit: avoid possible use-after-free · ade0d9c6
      When extracting a commit's signature, we first free the object and only
      afterwards put its signature contents into the result buffer. This works
      in most cases - the free'd object will normally be cached anyway, so we
      only end up decrementing its reference count without actually freeing
      its contents. But in some more exotic setups, where caching is disabled,
      this can definitly be a problem, as we might be the only instance
      currently holding a reference to this object.
      
      Fix this issue by first extracting the contents and freeing the object
      afterwards only.
      Patrick Steinhardt committed
    • commit: clear user-provided buffers · dc851d9e
      The functions `git_commit_header_field` and
      `git_commit_extract_signature` both receive buffers used to hand back
      the results to the user. While these functions called `git_buf_sanitize`
      on these buffers, this is not the right thing to do, as it will simply
      initialize or zero-terminate passed buffers. As we want to overwrite
      contents, we instead have to call `git_buf_clear` to completely reset
      them.
      Patrick Steinhardt committed
  13. 29 Dec, 2016 1 commit
  14. 09 Oct, 2016 1 commit
    • commit: always initialize commit message · a719ef5e
      When parsing a commit, we will treat all bytes left after parsing
      the headers as the commit message. When no bytes are left, we
      leave the commit's message uninitialized. While uncommon to have
      a commit without message, this is the right behavior as Git
      unfortunately allows for empty commit messages.
      
      Given that this scenario is so uncommon, most programs acting on
      the commit message will never check if the message is actually
      set, which may lead to errors. To work around the error and not
      lay the burden of checking for empty commit messages to the
      developer, initialize the commit message with an empty string
      when no commit message is given.
      Patrick Steinhardt committed
  15. 01 Jun, 2016 1 commit
  16. 03 May, 2016 1 commit
  17. 23 Mar, 2016 1 commit
  18. 17 Mar, 2016 1 commit
  19. 15 Mar, 2016 1 commit
  20. 08 Mar, 2016 1 commit
  21. 28 Feb, 2016 1 commit
  22. 16 Feb, 2016 1 commit
  23. 11 Feb, 2016 1 commit
    • commit: don't forget the last header field · 460ae11f
      When we moved the logic to handle the first one, wrong loop logic was
      kept in place which meant we still finished early. But we now notice it
      because we're not reading past the last LF we find.
      
      This was not noticed before as the last field in the tested commit was
      multi-line which does not trigger the early break.
      Carlos Martín Nieto committed
  24. 09 Feb, 2016 2 commits
  25. 01 Dec, 2015 1 commit
    • commit: introduce `git_commit_body` · 7f8fe1d4
      It is already possible to get a commit's summary with the
      `git_commit_summary` function. It is not possible to get the
      remaining part of the commit message, that is the commit
      message's body.
      
      Fix this by introducing a new function `git_commit_body`.
      Patrick Steinhardt committed
  26. 03 Nov, 2015 1 commit
  27. 22 Jun, 2015 1 commit
  28. 11 Jun, 2015 1 commit
    • commit: ignore multiple author fields · 65d69fe8
      Some tools create multiple author fields. git is rather lax when parsing
      them, although fsck does complain about them. This means that they exist
      in the wild.
      
      As it's not too taxing to check for them, and there shouldn't be a
      noticeable slowdown when dealing with correct commits, add logic to skip
      over these extra fields when parsing the commit.
      Carlos Martín Nieto committed
  29. 03 Mar, 2015 1 commit
    • Remove the signature from ref-modifying functions · 659cf202
      The signature for the reflog is not something which changes
      dynamically. Almost all uses will be NULL, since we want for the
      repository's default identity to be used, making it noise.
      
      In order to allow for changing the identity, we instead provide
      git_repository_set_ident() and git_repository_ident() which allow a user
      to override the choice of signature.
      Carlos Martín Nieto committed
  30. 15 Feb, 2015 1 commit
  31. 27 Oct, 2014 1 commit
  32. 29 Apr, 2014 1 commit
    • commit: safer commit creation with reference update · 217c029b
      The current version of the commit creation and amend function are unsafe
      to use when passing the update_ref parameter, as they do not check that
      the reference at the moment of update points to what the user expects.
      
      Make sure that we're moving history forward when we ask the library to
      update the reference for us by checking that the first parent of the new
      commit is the current value of the reference. We also make sure that the
      ref we're updating hasn't moved between the read and the write.
      
      Similarly, when amending a commit, make sure that the current tip of the
      branch is the commit we're amending.
      Carlos Martín Nieto committed
  33. 07 Mar, 2014 1 commit
  34. 25 Feb, 2014 1 commit
  35. 08 Feb, 2014 1 commit
    • Add git_commit_amend API · 80c29fe9
      This adds an API to amend an existing commit, basically a shorthand
      for creating a new commit filling in missing parameters from the
      values of an existing commit.  As part of this, I also added a new
      "sys" API to create a commit using a callback to get the parents.
      This allowed me to rewrite all the other commit creation APIs so
      that temporary allocations are no longer needed.
      Russell Belfer committed
  36. 05 Feb, 2014 1 commit
    • commit: faster parsing · a6563619
      The current code issues a lot of strncmp() calls in order to check for
      the end of the header, simply in order to copy it and start going
      through it again. These are a lot of calls for something we can check as
      we go along. Knowing the amount of parents beforehand to reduce
      allocations in extreme cases does not make up for them.
      
      Instead start parsing immediately and check for the double-newline after
      each header field, leaving the raw_header allocation for the end, which
      lets us go through the header once and reduces the amount of strncmp()
      calls significantly.
      
      In unscientific testing, this has reduced a shortlog-like usage (walking
      though the whole history of a branch and extracting data from the
      commits) of git.git from ~830ms to ~700ms and makes the time we spend in
      strncmp() negligible.
      Carlos Martín Nieto committed
  37. 04 Feb, 2014 1 commit