- 26 Oct, 2018 40 commits
-
-
Release v0.26.8
Patrick Steinhardt committed -
Patrick Steinhardt committed
-
Patrick Steinhardt committed
-
The commit message encoding is currently being parsed by the `git__prefixcmp` function. As this function does not accept a buffer length, it will happily skip over a buffer's end if it is not `NUL` terminated. Fix the issue by using `git__prefixncmp` instead. Add a test that verifies that we are unable to parse the encoding field if it's cut off by the supplied buffer length. (cherry picked from commit 7655b2d8)
Patrick Steinhardt committed -
When parsing tags, we skip all unknown fields that appear before the tag message. This skipping is done by using a plain `strstr(buffer, "\n\n")` to search for the two newlines that separate tag fields from tag message. As it is not possible to supply a buffer length to `strstr`, this call may skip over the buffer's end and thus result in an out of bounds read. As `strstr` may return a pointer that is out of bounds, the following computation of `buffer_end - buffer` will overflow and result in an allocation of an invalid length. Fix the issue by using `git__memmem` instead. Add a test that verifies parsing the tag fails not due to the allocation failure but due to the tag having no message. (cherry picked from commit ee11d47e)
Patrick Steinhardt committed -
Unfortunately, neither the `memmem` nor the `strnstr` functions are part of any C standard but are merely extensions of C that are implemented by e.g. glibc. Thus, there is no standardized way to search for a string in a block of memory with a limited size, and using `strstr` is to be considered unsafe in case where the buffer has not been sanitized. In fact, there are some uses of `strstr` in exactly that unsafe way in our codebase. Provide a new function `git__memmem` that implements the `memmem` semantics. That is in a given haystack of `n` bytes, search for the occurrence of a byte sequence of `m` bytes and return a pointer to the first occurrence. The implementation chosen is the "Not So Naive" algorithm from [1]. It was chosen as the implementation is comparably simple while still being reasonably efficient in most cases. Preprocessing happens in constant time and space, searching has a time complexity of O(n*m) with a slightly sub-linear average case. [1]: http://www-igm.univ-mlv.fr/~lecroq/string/ (cherry picked from commit 83e8a6b3)
Patrick Steinhardt committed -
When an integer that is parsed with `git__strntol32` is too big to fit into an int32, we will generate an error message that includes the actual string that failed to parse. This does not acknowledge the fact that the string may either not be NUL terminated or alternative include additional characters after the number that is to be parsed. We may thus end up printing characters into the buffer that aren't the number or, worse, read out of bounds. Fix the issue by utilizing the `endptr` that was set by `git__strntol64`. This pointer is guaranteed to be set to the first character following the number, and we can thus use it to compute the width of the number that shall be printed. Create a test to verify that we correctly truncate the number. (cherry picked from commit ea19efc1)
Patrick Steinhardt committed -
While `git__strntol64` tries to detect integer overflows when doing the necessary arithmetics to come up with the final result, it does the detection only after the fact. This check thus relies on undefined behavior of signed integer overflows. Fix this by instead checking up-front whether the multiplications or additions will overflow. Note that a detected overflow will not cause us to abort parsing the current sequence of digits. In the case of an overflow, previous behavior was to still set up the end pointer correctly to point to the first character immediately after the currently parsed number. We do not want to change this now as code may rely on the end pointer being set up correctly even if the parsed number is too big to be represented as 64 bit integer. (cherry picked from commit b09c1c7b)
Patrick Steinhardt committed -
Some edge cases were currently completely untested, e.g. parsing numbers greater than INT64_{MIN,MAX}, truncating buffers by length and invalid characters. Add tests to verify that the system under test performs as expected. (cherry picked from commit 39087ab8)
Patrick Steinhardt committed -
The function `git__strtol32` can easily be misused when untrusted data is passed to it that may not have been sanitized with trailing `NUL` bytes. As all usages of this function have now been removed, we can remove this function altogether to avoid future misuse of it. (cherry picked from commit 8d7fa88a)
Patrick Steinhardt committed -
Replace remaining uses of the `git__strtol32` function. While these uses are all safe as the strings were either sanitized or from a trusted source, we want to remove `git__strtol32` altogether to avoid future misuse. (cherry picked from commit 2613fbb2)
Patrick Steinhardt committed -
We use the `git__strtol32` function to parse the child and entry count of treecaches from the index, which do not accept a buffer length. As the buffer that is being passed in is untrusted data and may thus be malformed and may not contain a terminating `NUL` byte, we can overrun the buffer and thus perform an out-of-bounds read. Fix the issue by uzing `git__strntol32` instead. (cherry picked from commit 21652ee9)
Patrick Steinhardt committed -
The function `git__strtol64` does not take a maximum buffer length as parameter. This has led to some unsafe usages of this function, and as such we may consider it as being unsafe to use. As we have now eradicated all usages of this function, let's remove it completely to avoid future misuse. (cherry picked from commit 68deb2cc)
Patrick Steinhardt committed -
When parsing integers from configuration values, we use `git__strtol64`. This is fine to do, as we always sanitize values and can thus be sure that they'll have a terminating `NUL` byte. But as this is the last call-site of `git__strtol64`, let's just pass in the length explicitly by calling `strlen` on the value to be able to remove `git__strtol64` altogether. (cherry picked from commit 1a2efd10)
Patrick Steinhardt committed -
We use `git__strtol64` and `git__strtol32` to parse the trailing commit or author date and timezone of signatures. As signatures are usually part of a commit or tag object and thus essentially untrusted data, the buffer may be misformatted and may not be `NUL` terminated. This may lead to an out-of-bounds read. Fix the issue by using `git__strntol64` and `git__strntol32` instead. (cherry picked from commit 3db9aa6f)
Patrick Steinhardt committed -
We use `git__strtol64` to parse file modes of the index entries, which does not limit the parsed buffer length. As the index can be essentially treated as "untrusted" in that the data stems from the file system, it may be misformatted and may not contain terminating `NUL` bytes. This may lead to out-of-bounds reads when trying to parse index entries with such malformatted modes. Fix the issue by using `git__strntol64` instead. (cherry picked from commit 600ceadd)
Patrick Steinhardt committed -
When quick-parsing a commit, we use `git__strtol64` to parse the commit's time. The buffer that's passed to `commit_quick_parse` is the raw data of an ODB object, though, whose data may not be properly formatted and also does not have to be `NUL` terminated. This may lead to out-of-bound reads. Use `git__strntol64` to avoid this problem. (cherry picked from commit 1a3fa1f5)
Patrick Steinhardt committed -
Before resetting the url and username, ensure that we free them in case they were set by environment variables. (cherry picked from commit e84914fd)
Edward Thomson committed -
Don't just free the spec vector, also free the specs themselves. (cherry picked from commit d285de73)
Edward Thomson committed -
Don't just free the push status structure, actually free the strings that were strdup'd into the struct as well. (cherry picked from commit dad99881)
Edward Thomson committed -
Free the url field when resetting the stream to avoid leaking it. (cherry picked from commit ca2eb460)
Edward Thomson committed -
(cherry picked from commit 820fb712)
Patrick Steinhardt committed -
PowerShell can _read_ top-level variables in functions, but cannot _update_ top-level variables in functions unless they're explicitly prefixed with `$global`. (cherry picked from commit 0e26717a)
Edward Thomson committed -
Don't stop on test failures; run all the tests, even when a test fails. (cherry picked from commit 429c7f11)
Edward Thomson committed -
Similar to the way we parse the ctest output on POSIX systems, do the same on Windows. This allows us to append the `-r` flag to clar after we've identified the command to run. (cherry picked from commit 7c9769d9)
Edward Thomson committed -
Introduce SKIP_*_TEST variables for Windows builds to match POSIX builds. (cherry picked from commit a8301b0c)
Edward Thomson committed -
Add the clar flags to produce JUnit-style XML output before invocation. (cherry picked from commit fff33a1b)
Edward Thomson committed -
This reverts commit a2d73f56. Using clar to propagate the XML settings was a mistake. (cherry picked from commit 943181c2)
Patrick Steinhardt committed -
Our CI test system invokes ctest with the name of the given tests it wishes to invoke. ctest (with the `-R` flag) treats this name as a regular expression. Provide anchors in the regular expression to avoid matching additional tests in this search. (cherry picked from commit 7e353b7a)
Edward Thomson committed -
Visual Studio Team Services is now a family of applications named "Azure DevOps". Update the README to refer to it thusly. (cherry picked from commit e2613039)
Edward Thomson committed -
VSTS is now a family of components; "Azure Pipelines" is the build and release pipeline application. (cherry picked from commit 464305b7)
Edward Thomson committed -
(cherry picked from commit d7d0139e)
Patrick Steinhardt committed -
Instead of trying to have a clever iterator pattern that increments the error number, just iterate over errors in the report errors or report all functions as it's easier to reason about in this fashion. (cherry picked from commit d17e67d0)
Edward Thomson committed -
Windows lacks %F and %T formats for strftime. Expand them to the year/month/day and hour/minute/second formats, respectively. (cherry picked from commit e595eeb5)
Edward Thomson committed -
Our build YAML is becoming unweildly and full of copy-pasta. Simplify with templates. (cherry picked from commit 6b2d8f09)
Patrick Steinhardt committed -
Explicitly run from the build directory, not the source. (I was mistaken about the default working directory for VSTS agents.) (cherry picked from commit 306875bc)
Edward Thomson committed -
CMake treats backslashes as escape characters; use forward slashes for the XML output path. (cherry picked from commit f3f2c45e)
Edward Thomson committed -
(cherry picked from commit bfcbde50)
Patrick Steinhardt committed -
(cherry picked from commit a84863fc)
Patrick Steinhardt committed -
Remove the global summary filename and file pointer; pass them in to the summary functions as needed. Error check the results of buffered I/O calls. (cherry picked from commit b67a93ff)
Edward Thomson committed
-