1. 18 Jul, 2019 1 commit
  2. 24 Jun, 2019 1 commit
  3. 15 Jun, 2019 2 commits
  4. 15 Feb, 2019 4 commits
    • idxmap: have `resize` functions return proper error code · 8da93944
      The currently existing function `git_idxmap_resize` and
      `git_idxmap_icase_resize` do not return any error codes at all due to their
      previous implementation making use of a macro. Due to that, it is impossible to
      see whether the resize operation might have failed due to an out-of-memory
      situation.
      
      Fix this by providing a proper error code. Adjust callers to make use of it.
      Patrick Steinhardt committed
    • idxmap: introduce high-level setter for key/value pairs · 661fc57b
      Currently, one would use the function `git_idxmap_insert` to insert key/value
      pairs into a map. This function has historically been a macro, which is why its
      syntax is kind of weird: instead of returning an error code directly, it instead
      has to be passed a pointer to where the return value shall be stored. This does
      not match libgit2's common idiom of directly returning error codes.
      
      Introduce a new function `git_idxmap_set`, which takes as parameters the map,
      key and value and directly returns an error code. Convert all callers of
      `git_idxmap_insert` to make use of it.
      Patrick Steinhardt committed
    • idxmap: introduce high-level getter for values · d00c24a9
      The current way of looking up an entry from a map is tightly coupled with the
      map implementation, as one first has to look up the index of the key and then
      retrieve the associated value by using the index. As a caller, you usually do
      not care about any indices at all, though, so this is more complicated than
      really necessary. Furthermore, it invites for errors to happen if the correct
      error checking sequence is not being followed.
      
      Introduce new high-level functions `git_idxmap_get` and `git_idxmap_icase_get`
      that take a map and a key and return a pointer to the associated value if such a
      key exists. Otherwise, a `NULL` pointer is returned. Adjust all callers that can
      trivially be converted.
      Patrick Steinhardt committed
    • maps: use uniform lifecycle management functions · 351eeff3
      Currently, the lifecycle functions for maps (allocation, deallocation, resize)
      are not named in a uniform way and do not have a uniform function signature.
      Rename the functions to fix that, and stick to libgit2's naming scheme of saying
      `git_foo_new`. This results in the following new interface for allocation:
      
      - `int git_<t>map_new(git_<t>map **out)` to allocate a new map, returning an
        error code if we ran out of memory
      
      - `void git_<t>map_free(git_<t>map *map)` to free a map
      
      - `void git_<t>map_clear(git<t>map *map)` to remove all entries from a map
      
      This commit also fixes all existing callers.
      Patrick Steinhardt committed
  5. 25 Jan, 2019 1 commit
  6. 24 Jan, 2019 1 commit
    • index: preserve extension parsing errors · 0bf7e043
      Previously, we would clobber any extension-specific error message with
      an "extension is truncated" message. This makes `read_extension`
      correctly preserve those errors, takes responsibility for truncation
      errors, and adds a new message with the actual extension signature for
      unsupported mandatory extensions.
      Etienne Samson committed
  7. 22 Jan, 2019 1 commit
  8. 01 Dec, 2018 1 commit
  9. 28 Nov, 2018 1 commit
  10. 14 Nov, 2018 1 commit
  11. 19 Oct, 2018 2 commits
    • index: fix adding index entries with conflicting files · 8b6e2895
      When adding an index entry "a/b/c" while an index entry "a/b" already
      exists, git will happily remove "a/b/c" and only add the new index
      entry:
      
          $ git init test
          Initialized empty Git repository in /tmp/test.repo/test/.git/
          $ touch x
          $ git add x
          $ rm x
          $ mkdir x
          $ touch x/y
          $ git add x/y
          $ git status
          A x/y
      
      The other way round, adding an index entry "a/b" with an entry "a/b/c"
      already existing is equivalent, where git will remove "a/b/c" and add
      "a/b".
      
      In contrast, libgit2 will currently fail to add these properly and
      instead complain about the entry appearing as both a file and a
      directory. This is a programming error, though: our current code already
      tries to detect and, in the case of `git_index_add`, to automatically
      replace such index entries. Funnily enough, we already remove the
      conflicting index entries, but instead of adding the new entry we then
      bail out afterwards. This leaves callers with the worst of both worlds:
      we both remove the old entry but fail to add the new one.
      
      The root cause is weird semantics of the `has_file_name` and
      `has_dir_name` functions. While these functions only sound like they are
      responsible for detecting such conflicts, they will also already remove
      them in case where its `ok_to_replace` parameter is set. But even if we
      tell it to replace such entries, it will return an error code.
      
      Fix the error by returning success in case where the entries have been
      replaced. Fix an already existing test which tested for wrong behaviour.
      Note that the test didn't notice that the resulting tree had no entries.
      Thus it is fine to change existing behaviour here, as the previous
      result could've let to silently loosing data. Also add a new test that
      verifies behaviour in the reverse conflicting case.
      Patrick Steinhardt committed
    • index: modernize error handling of `index_insert` · 923317db
      The current error hanling of the function `index_insert` is currently
      very fragile. Instead of erroring out in case an error has happened, it
      will instead verify that no error has happened for each statement. This
      makes adding new code to that function an adventurous task.
      
      Improve the situation by converting the function to use our typical
      `goto out` pattern.
      Patrick Steinhardt committed
  12. 18 Oct, 2018 1 commit
    • index: avoid out-of-bounds read when reading reuc entry stage · 600ceadd
      We use `git__strtol64` to parse file modes of the index entries, which
      does not limit the parsed buffer length. As the index can be essentially
      treated as "untrusted" in that the data stems from the file system, it
      may be misformatted and may not contain terminating `NUL` bytes. This
      may lead to out-of-bounds reads when trying to parse index entries with
      such malformatted modes.
      
      Fix the issue by using `git__strntol64` instead.
      Patrick Steinhardt committed
  13. 11 Sep, 2018 1 commit
  14. 16 Aug, 2018 1 commit
  15. 29 Jun, 2018 4 commits
    • settings: optional unsaved index safety · bfa1f022
      Add the `GIT_OPT_ENABLE_UNSAVED_INDEX_SAFETY` option, which will cause
      commands that reload the on-disk index to fail if the current
      `git_index` has changed that have not been saved.  This will prevent
      users from - for example - adding a file to the index then calling a
      function like `git_checkout` and having that file be silently removed
      from the index since it was re-read from disk.
      
      Now calls that would re-read the index will fail if the index is
      "dirty", meaning changes have been made to it but have not been written.
      Users can either `git_index_read` to discard those changes explicitly,
      or `git_index_write` to write them.
      Edward Thomson committed
    • index: return a unique error code on dirty index · 787768c2
      When the index is dirty, return GIT_EINDEXDIRTY so that consumers can
      identify the exact problem programatically.
      Edward Thomson committed
    • index: commit the changes to the index properly · b242cdbf
      Now that the index has a "dirty" state, where it has changes that have
      not yet been committed or rolled back, our tests need to be adapted to
      actually commit or rollback the changes instead of assuming that the
      index can be operated on in its indeterminate state.
      Edward Thomson committed
    • index: add a dirty bit reflecting unsaved changes · 7c56c49b
      Teach the index when it is "dirty", and has unsaved changes.  Consider
      the index dirty whenever a caller has added or removed an entry from the
      main index, REUC or NAME section, including when the index is completely
      cleared.  Similarly, consider the index _not_ dirty immediately after it
      is written, or when it is read from the on-disk index.
      
      This allows us to ensure that unsaved changes are not lost when we
      automatically refresh the index.
      Edward Thomson committed
  16. 10 Jun, 2018 1 commit
  17. 01 Jun, 2018 1 commit
  18. 23 May, 2018 2 commits
  19. 10 Mar, 2018 3 commits
    • index: error out on unreasonable prefix-compressed path lengths · 3db1af1f
      When computing the complete path length from the encoded
      prefix-compressed path, we end up just allocating the complete path
      without ever checking what the encoded path length actually is. This can
      easily lead to a denial of service by just encoding an unreasonable long
      path name inside of the index. Git already enforces a maximum path
      length of 4096 bytes. As we also have that enforcement ready in some
      places, just make sure that the resulting path is smaller than
      GIT_PATH_MAX.
      
      Reported-by: Krishna Ram Prakash R <krp@gtux.in>
      Reported-by: Vivek Parikh <viv0411.parikh@gmail.com>
      Patrick Steinhardt committed
    • index: fix out-of-bounds read with invalid index entry prefix length · 3207ddb0
      The index format in version 4 has prefix-compressed entries, where every
      index entry can compress its path by using a path prefix of the previous
      entry. Since implmenting support for this index format version in commit
      5625d86b (index: support index v4, 2016-05-17), though, we do not
      correctly verify that the prefix length that we want to reuse is
      actually smaller or equal to the amount of characters than the length of
      the previous index entry's path. This can lead to a an integer underflow
      and subsequently to an out-of-bounds read.
      
      Fix this by verifying that the prefix is actually smaller than the
      previous entry's path length.
      
      Reported-by: Krishna Ram Prakash R <krp@gtux.in>
      Reported-by: Vivek Parikh <viv0411.parikh@gmail.com>
      Patrick Steinhardt committed
    • index: convert `read_entry` to return entry size via an out-param · 58a6fe94
      The function `read_entry` does not conform to our usual coding style of
      returning stuff via the out parameter and to use the return value for
      reporting errors. Due to most of our code conforming to that pattern, it
      has become quite natural for us to actually return `-1` in case there is
      any error, which has also slipped in with commit 5625d86b (index:
      support index v4, 2016-05-17). As the function returns an `size_t` only,
      though, the return value is wrapped around, causing the caller of
      `read_tree` to continue with an invalid index entry. Ultimately, this
      can lead to a double-free.
      
      Improve code and fix the bug by converting the function to return the
      index entry size via an out parameter and only using the return value to
      indicate errors.
      
      Reported-by: Krishna Ram Prakash R <krp@gtux.in>
      Reported-by: Vivek Parikh <viv0411.parikh@gmail.com>
      Patrick Steinhardt committed
  20. 18 Feb, 2018 1 commit
  21. 16 Feb, 2018 1 commit
  22. 03 Jul, 2017 1 commit
    • Make sure to always include "common.h" first · 0c7f49dd
      Next to including several files, our "common.h" header also declares
      various macros which are then used throughout the project. As such, we
      have to make sure to always include this file first in all
      implementation files. Otherwise, we might encounter problems or even
      silent behavioural differences due to macros or defines not being
      defined as they should be. So in fact, our header and implementation
      files should make sure to always include "common.h" first.
      
      This commit does so by establishing a common include pattern. Header
      files inside of "src" will now always include "common.h" as its first
      other file, separated by a newline from all the other includes to make
      it stand out as special. There are two cases for the implementation
      files. If they do have a matching header file, they will always include
      this one first, leading to "common.h" being transitively included as
      first file. If they do not have a matching header file, they instead
      include "common.h" as first file themselves.
      
      This fixes the outlined problems and will become our standard practice
      for header and source files inside of the "src/" from now on.
      Patrick Steinhardt committed
  23. 06 Jun, 2017 7 commits