1. 28 Nov, 2019 1 commit
  2. 19 Nov, 2019 3 commits
  3. 16 Nov, 2019 3 commits
  4. 10 Nov, 2019 1 commit
    • patch_parse: use paths from "---"/"+++" lines for binary patches · de7659cc
      For some patches, it is not possible to derive the old and new file
      paths from the patch header's first line, most importantly when they
      contain spaces. In such a case, we derive both paths from the "---" and
      "+++" lines, which allow for non-ambiguous parsing. We fail to use these
      paths when parsing binary patches without data, though, as we always
      expect the header paths to be filled in.
      
      Fix this by using the "---"/"+++" paths by default and only fall back to
      header paths if they aren't set. If neither of those paths are set, we
      just return an error. Add two tests to verify this behaviour, one of
      which would have previously caused a segfault.
      Patrick Steinhardt committed
  5. 09 Nov, 2019 1 commit
  6. 06 Nov, 2019 3 commits
  7. 05 Nov, 2019 10 commits
  8. 02 Nov, 2019 1 commit
  9. 01 Nov, 2019 2 commits
  10. 30 Oct, 2019 2 commits
  11. 29 Oct, 2019 1 commit
  12. 26 Oct, 2019 1 commit
  13. 24 Oct, 2019 2 commits
  14. 22 Oct, 2019 1 commit
  15. 21 Oct, 2019 1 commit
    • patch_parse: detect overflow when calculating old/new line position · 37141ff7
      When the patch contains lines close to INT_MAX, then it may happen that
      we end up with an integer overflow when calculating the line of the
      current diff hunk. Reject such patches as unreasonable to avoid the
      integer overflow.
      
      As the calculation is performed on integers, we introduce two new
      helpers `git__add_int_overflow` and `git__sub_int_overflow` that perform
      the integer overflow check in a generic way.
      Patrick Steinhardt committed
  16. 19 Oct, 2019 3 commits
    • patch_parse: fix out-of-bounds read with No-NL lines · 468e3ddc
      We've got two locations where we copy lines into the patch. The first
      one is when copying normal " ", "-" or "+" lines, while the second
      location gets executed when we copy "\ No newline at end of file" lines.
      While the first one correctly uses `git__strndup` to copy only until the
      newline, the other one doesn't. Thus, if the line occurs at the end of
      the patch and if there is no terminating NUL character, then it may
      result in an out-of-bounds read.
      
      Fix the issue by using `git__strndup`, as was already done in the other
      location. Furthermore, add allocation checks to both locations to detect
      out-of-memory situations.
      Patrick Steinhardt committed
    • patch_parse: reject empty path names · 6c6c15e9
      When parsing patch headers, we currently accept empty path names just
      fine, e.g. a line "--- \n" would be parsed as the empty filename. This
      is not a valid patch format and may cause `NULL` pointer accesses at a
      later place as `git_buf_detach` will return `NULL` in that case.
      
      Reject such patches as malformed with a nice error message.
      Patrick Steinhardt committed
    • patch_parse: reject patches with multiple old/new paths · 223e7e43
      It's currently possible to have patches with multiple old path name
      headers. As we didn't check for this case, this resulted in a memory
      leak when overwriting the old old path with the new old path because we
      simply discarded the old pointer.
      
      Instead of fixing this by free'ing the old pointer, we should reject
      such patches altogether. It doesn't make any sense for the "---" or
      "+++" markers to occur multiple times within a patch n the first place.
      This also implicitly fixes the memory leak.
      Patrick Steinhardt committed
  17. 18 Oct, 2019 4 commits
    • Merge pull request #5269 from durin42/fuzzpatch · b246bed5
      fuzzers: add a new fuzzer for patch parsing
      Patrick Steinhardt committed
    • refdb_fs: properly parse corrupted reflogs · 7968e90f
      In previous versions, libgit2 could be coerced into writing reflog
      messages with embedded newlines into the reflog by using
      `git_stash_save` with a message containing newlines. While the root
      cause is fixed now, it was noticed that upstream git is in fact able to
      read such corrupted reflog messages just fine.
      
      Make the reflog parser more lenient in order to just skip over
      malformatted reflog lines to bring us in line with git. This requires us
      to change an existing test that verified that we do indeed _fail_ to
      parse such logs.
      Patrick Steinhardt committed
    • refdb_fs: convert reflog parsing to use parser · 8532ed11
      The refdb_fs code to parse the reflog currently uses a hand-rolled
      parser. Convert it to use our `git_parse_ctx` structure instead.
      Patrick Steinhardt committed
    • reflog: allow adding entries with newlines in their message · d8233feb
      Currently, the reflog disallows any entries that have a message with
      newlines, as that would effectively break the reflog format, which may
      contain a single line per entry, only. Upstream git behaves a bit
      differently, though, especially when considering stashes: instead of
      rejecting any reflog entry with newlines, git will simply replace
      newlines with spaces. E.g. executing 'git stash push -m "foo\nbar"' will
      create a reflog entry with "foo bar" as entry message.
      
      This commit adjusts our own logic to stop rejecting commit messages with
      newlines. Previously, this logic was part of `git_reflog_append`, only.
      There is a second place though where we add reflog entries, which is the
      serialization code in the filesystem refdb. As it didn't contain any
      sanity checks whatsoever, the refdb would have been perfectly happy to
      write malformatted reflog entries to the disk. This is being fixed with
      the same logic as for the reflog itself.
      Patrick Steinhardt committed