summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* checkout_paths(): remove unneeded flag variableMichael Haggerty2016-04-101-2/+1
| | | | | | | | It is never read, so we can pass NULL to resolve_ref_unsafe(). Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu> Signed-off-by: David Turner <dturner@twopensource.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* cmd_merge(): remove unneeded flag variableMichael Haggerty2016-04-101-2/+2
| | | | | | | | It is never read, so we can pass NULL to resolve_ref_unsafe(). Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu> Signed-off-by: David Turner <dturner@twopensource.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* fsck_head_link(): remove unneeded flag variableMichael Haggerty2016-04-101-2/+1
| | | | | | | | It is never read, so we can pass NULL to resolve_ref_unsafe(). Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu> Signed-off-by: David Turner <dturner@twopensource.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* read_raw_ref(): change flags parameter to unsigned intMichael Haggerty2016-04-101-3/+3
| | | | | | | | | | | read_raw_ref() is going to be part of the vtable for reference backends, so clean up its interface to use "unsigned int flags" rather than "int flags". Its caller still uses signed int for its flags arguments. But changing that would touch a lot of code, so leave it for now. Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu> Signed-off-by: David Turner <dturner@twopensource.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* files-backend: inline resolve_ref_1() into resolve_ref_unsafe()Michael Haggerty2016-04-101-22/+9
| | | | | | | | resolve_ref_unsafe() wasn't doing anything useful anymore. Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu> Signed-off-by: David Turner <dturner@twopensource.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* read_raw_ref(): manage own scratch spaceMichael Haggerty2016-04-101-35/+41
| | | | | | | | | | | | | | | | | | Instead of creating scratch space in resolve_ref_unsafe() and passing it down through resolve_ref_1 to read_raw_ref(), teach read_raw_ref() to manage its own scratch space. This reduces coupling across the functions at the cost of some extra allocations. Also, when read_raw_ref() is implemented for different reference backends, the other implementations might have different scratch space requirements. Note that we now preserve errno across the calls to strbuf_release(), which calls free() and can thus theoretically overwrite errno. Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu> Signed-off-by: David Turner <dturner@twopensource.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* files-backend: break out ref readingDavid Turner2016-04-101-99/+145
| | | | | | | | | | | | | Refactor resolve_ref_1 in terms of a new function read_raw_ref, which is responsible for reading ref data from the ref storage. Later, we will make read_raw_ref a pluggable backend function, and make resolve_ref_unsafe common. Signed-off-by: David Turner <dturner@twopensource.com> Helped-by: Duy Nguyen <pclouds@gmail.com> Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* resolve_ref_1(): eliminate local variable "bad_name"Michael Haggerty2016-04-101-8/+5
| | | | | | | | We can use (*flags & REF_BAD_NAME) for that purpose. Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu> Signed-off-by: David Turner <dturner@twopensource.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* resolve_ref_1(): reorder codeMichael Haggerty2016-04-101-2/+2
| | | | | | | | There is no need to adjust *flags if we're just about to fail. Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu> Signed-off-by: David Turner <dturner@twopensource.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* resolve_ref_1(): eliminate local variableMichael Haggerty2016-04-101-7/+6
| | | | | | | | | In place of `buf`, use `refname`, which is anyway a better description of what is being pointed at. Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu> Signed-off-by: David Turner <dturner@twopensource.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* resolve_ref_unsafe(): ensure flags is always setMichael Haggerty2016-04-101-18/+13
| | | | | | | | | | If the caller passes flags==NULL, then set it to point at a local scratch variable. This removes the need for a lot of "if (flags)" guards in resolve_ref_1() and resolve_missing_loose_ref(). Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu> Signed-off-by: David Turner <dturner@twopensource.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* resolve_ref_unsafe(): use for loop to count up to MAXDEPTHMichael Haggerty2016-04-101-7/+6
| | | | | | | | The loop's there anyway; we might as well use it. Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu> Signed-off-by: David Turner <dturner@twopensource.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* resolve_missing_loose_ref(): simplify semanticsMichael Haggerty2016-04-101-14/+10
| | | | | | | | | | | Make resolve_missing_loose_ref() only responsible for looking up a packed reference, without worrying about whether we want to read or write the reference and without setting errno on failure. Move the other logic to the caller. Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu> Signed-off-by: David Turner <dturner@twopensource.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* t1430: improve test coverage of deletion of badly-named refsMichael Haggerty2016-04-101-8/+96
| | | | | | | | | | | | | | | | | | | | | Check "branch -d broken...ref" Check various combinations of * Deleting using "update-ref -d" * Deleting using "update-ref --no-deref -d" * Deleting using "branch -d" in the following combinations of symref -> ref: * badname -> broken...ref * badname -> broken...ref (dangling) * broken...symref -> master * broken...symref -> idonotexist (dangling) Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu> Signed-off-by: David Turner <dturner@twopensource.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* t1430: test for-each-ref in the presence of badly-named refsMichael Haggerty2016-04-101-0/+16
| | | | | | Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu> Signed-off-by: David Turner <dturner@twopensource.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* t1430: don't rely on symbolic-ref for creating broken symrefsMichael Haggerty2016-04-101-2/+2
| | | | | | | | It's questionable whether it should even work. Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu> Signed-off-by: David Turner <dturner@twopensource.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* t1430: clean up broken refs/tags/shadowMichael Haggerty2016-04-101-1/+1
| | | | | | Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu> Signed-off-by: David Turner <dturner@twopensource.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* t1430: test the output and error of some commands more carefullyMichael Haggerty2016-04-101-6/+12
| | | | | | Signed-off-by: Michael Haggerty <mhagger@alum.mit.edu> Signed-off-by: David Turner <dturner@twopensource.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* refs: move for_each_*ref* functions into common codeDavid Turner2016-04-103-57/+66
| | | | | | | | | | | | Make do_for_each_ref take a submodule as an argument instead of a ref_cache. Since all for_each_*ref* functions are defined in terms of do_for_each_ref, we can then move them into the common code. Later, we can simply make do_for_each_ref into a backend function. Signed-off-by: David Turner <dturner@twopensource.com> Reviewed-by: Michael Haggerty <mhagger@alum.mit.edu> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* refs: move head_ref{,_submodule} to the common codeDavid Turner2016-04-102-28/+23
| | | | | | | | | | These don't use any backend-specific functions. These were previously defined in terms of the do_head_ref helper function, but since they are otherwise identical, we don't need that function. Signed-off-by: David Turner <dturner@twopensource.com> Reviewed-by: Michael Haggerty <mhagger@alum.mit.edu> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* verify_repository_format: mark messages for translationJeff King2016-03-121-2/+2
| | | | | | | These messages are human-readable and should be translated. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* setup: drop repository_format_version globalJeff King2016-03-123-3/+0
| | | | | | | | | | Nobody reads this anymore, and they're not likely to; the interesting thing is whether or not we passed check_repository_format(), and possibly the individual "extension" variables. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* setup: unify repository version callbacksJeff King2016-03-122-43/+23
| | | | | | | | | | | | | | | | | | | Once upon a time, check_repository_format_gently would parse the config with a single callback, and that callback would set up a bunch of global variables. But now that we have separate workdirs, we have to be more careful. Commit 31e26eb (setup.c: support multi-checkout repo setup, 2014-11-30) introduced a reduced callback which omits some values like core.worktree. In the "main" callback we call the reduced one, and then add back in the missing variables. Now that we have split the config-parsing from the munging of the global variables, we can do it all with a single callback, and keep all of the "are we in a separate workdir" logic together. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* init: use setup.c's repo version verificationJeff King2016-03-121-9/+12
| | | | | | | | | | | We check our templates to make sure they are from a version of git we understand (otherwise we would init a repository we cannot ourselves run in!). But our simple integer check has fallen behind the times. Let's use the helpers that setup.c provides to do it right. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* setup: refactor repo format reading and verificationJeff King2016-03-122-39/+103
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When we want to know if we're in a git repository of reasonable vintage, we can call check_repository_format_gently(), which does three things: 1. Reads the config from the .git/config file. 2. Verifies that the version info we read is sane. 3. Writes some global variables based on this. There are a few things we could improve here. One is that steps 1 and 3 happen together. So if the verification in step 2 fails, we still clobber the global variables. This is especially bad if we go on to try another repository directory; we may end up with a state of mixed config variables. The second is there's no way to ask about the repository version for anything besides the main repository we're in. git-init wants to do this, and it's possible that we would want to start doing so for submodules (e.g., to find out which ref backend they're using). We can improve both by splitting the first two steps into separate functions. Now check_repository_format_gently() calls out to steps 1 and 2, and does 3 only if step 2 succeeds. Note that the public interface for read_repository_format() and what check_repository_format_gently() needs from it are not quite the same, leading us to have an extra read_repository_format_1() helper. The extra needs from check_repository_format_gently() will go away in a future patch, and we can simplify this then to just the public interface. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* config: drop git_config_earlyJeff King2016-03-123-16/+4
| | | | | | | | | | There are no more callers, and it's a rather confusing interface. This could just be folded into git_config_with_options(), but for the sake of readability, we'll leave it as a separate (static) helper function. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* check_repository_format_gently: stop using git_config_earlyJeff King2016-03-121-8/+3
| | | | | | | | | | | | | | | | | | | There's a chicken-and-egg problem with using the regular git_config during the repository setup process. We get around it here by using a special interface that lets us specify the per-repo config, and avoid calling git_pathdup(). But this interface doesn't actually make sense. It will look in the system and per-user config, too; we definitely would not want to accept a core.repositoryformatversion from there. The git_config_from_file interface is a better match, as it lets us look at a single file. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* lazily load core.sharedrepositoryJeff King2016-03-122-2/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The "shared_repository" config is loaded as part of check_repository_format_version, but it's not quite like the other values we check there. Something like core.repositoryformatversion only makes sense in per-repo config, but core.sharedrepository can be set in a per-user config (e.g., to make all "git init" invocations shared by default). So it would make more sense as part of git_default_config. Commit 457f06d (Introduce core.sharedrepository, 2005-12-22) says: [...]the config variable is set in the function which checks the repository format. If this were done in git_default_config instead, a lot of programs would need to be modified to call git_config(git_default_config) first. This is still the case today, but we have one extra trick up our sleeve. Now that we have the git_configset infrastructure, it's not so expensive for us to ask for a single value. So we can simply lazy-load it on demand. This should be OK to do in general. There are some problems with loading config before setup_git_directory() is called, but we shouldn't be accessing the value before then (if we were, then it would already be broken, as the variable would not have been set by check_repository_format_version!). The trickiest caller is git-init, but it handles the values manually itself. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* wrap shared_repository global in get/set accessorsJeff King2016-03-125-20/+33
| | | | | | | | | | | | | It would be useful to control access to the global shared_repository, so that we can lazily load its config. The first step to doing so is to make sure all access goes through a set of functions. This step is purely mechanical, and should result in no change of behavior. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* setup: document check_repository_format()Jeff King2016-03-122-3/+10
| | | | | | | | | | | | This function's interface is rather enigmatic, so let's document it further. While we're here, let's also drop the return value. It will always either be "0" or the function will die (consequently, neither of its two callers bothered to check the return). Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* Git 2.8-rc1v2.8.0-rc1Junio C Hamano2016-03-042-1/+13
| | | | Signed-off-by: Junio C Hamano <gitster@pobox.com>
* Merge branch 'nd/clear-gitenv-upon-use-of-alias'Junio C Hamano2016-03-041-11/+9
|\ | | | | | | | | | | | | Hotfix for a test breakage made between 2.7 and 'master'. * nd/clear-gitenv-upon-use-of-alias: t0001: fix GIT_* environment variable check under --valgrind
| * t0001: fix GIT_* environment variable check under --valgrindJohannes Sixt2016-03-031-11/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | When a test case is run without --valgrind, the wrap-for-bin.sh helper script inserts the environment variable GIT_TEXTDOMAINDIR, but when run with --valgrind, the variable is missing. A recently introduced test case expects the presence of the variable, though, and fails under --valgrind. Rewrite the test case to strip conditially defined environment variables from both expected and actual output. Signed-off-by: Johannes Sixt <j6t@kdbg.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* | Merge branch 'js/pthread-exit-emu-windows'Junio C Hamano2016-03-041-1/+1
|\ \ | | | | | | | | | | | | * js/pthread-exit-emu-windows: Mark win32's pthread_exit() as NORETURN
| * | Mark win32's pthread_exit() as NORETURNJohannes Schindelin2016-03-021-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The pthread_exit() function is not expected to return. Ever. On Windows, we call ExitThread() whose documentation claims: "Ends the calling thread", i.e. there is no condition in which this function simply returns: https://msdn.microsoft.com/en-us/library/windows/desktop/ms682659 While at it, fix the return type to be void, as per http://pubs.opengroup.org/onlinepubs/9699919799/functions/pthread_exit.html Pointed out by Jeff King, helped by Stefan Naewe, Junio Hamano & Johannes Sixt. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* | | Merge branch 'sb/submodule-parallel-fetch'Junio C Hamano2016-03-044-32/+9
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Simplify the two callback functions that are triggered when the child process terminates to avoid misuse of the child-process structure that has already been cleaned up. * sb/submodule-parallel-fetch: run-command: do not pass child process data into callbacks
| * | | run-command: do not pass child process data into callbacksStefan Beller2016-03-014-32/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The expected way to pass data into the callback is to pass them via the customizable callback pointer. The error reporting in default_{start_failure, task_finished} is not user friendly enough, that we want to encourage using the child data for such purposes. Furthermore the struct child data is cleaned by the run-command API, before we access them in the callbacks, leading to use-after-free situations. Signed-off-by: Stefan Beller <sbeller@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* | | | Merge branch 'jk/tighten-alloc'Junio C Hamano2016-03-041-1/+1
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | * jk/tighten-alloc: compat/mingw: brown paper bag fix for 50a6c8e
| * | | | compat/mingw: brown paper bag fix for 50a6c8eJeff King2016-02-291-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 50a6c8e (use st_add and st_mult for allocation size computation, 2016-02-22) fixed up many xmalloc call-sites including ones in compat/mingw.c. But I screwed up one of them, which was half-converted to ALLOC_ARRAY, using a very early prototype of the function. And I never caught it because I don't build on Windows. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* | | | | Merge branch 'nd/i18n-2.8.0'Junio C Hamano2016-03-044-21/+21
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * nd/i18n-2.8.0: trailer.c: mark strings for translation ref-filter.c: mark strings for translation builtin/clone.c: mark strings for translation builtin/checkout.c: mark strings for translation
| * | | | | trailer.c: mark strings for translationNguyễn Thái Ngọc Duy2016-02-291-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
| * | | | | ref-filter.c: mark strings for translationNguyễn Thái Ngọc Duy2016-02-291-14/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
| * | | | | builtin/clone.c: mark strings for translationNguyễn Thái Ngọc Duy2016-02-291-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
| * | | | | builtin/checkout.c: mark strings for translationNguyễn Thái Ngọc Duy2016-02-291-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* | | | | | Merge branch 'tb/avoid-gcc-on-darwin-10-6'Junio C Hamano2016-03-041-0/+3
|\ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Out-of-maintenance gcc on OSX 10.6 fails to compile the code in 'master'; work it around by using clang by default on the platform. * tb/avoid-gcc-on-darwin-10-6: config.mak.uname: use clang for Mac OS X 10.6
| * | | | | | config.mak.uname: use clang for Mac OS X 10.6Torsten Bögershausen2016-02-291-0/+3
| |/ / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Gcc under Mac OX 10.6 throws an internal compiler error: CC combine-diff.o combine-diff.c: In function ‘diff_tree_combined’: combine-diff.c:1391: internal compiler error: Segmentation fault while attempting to build Git at 5b442c4f (tree-diff: catch integer overflow in combine_diff_path allocation, 2016-02-19). As clang that ships with the version does not have the same bug, make Git compile under Mac OS X 10.6 by using clang instead of gcc to work this around, as it is unlikely that we will see fixed GCC on that platform. Later versions of Mac OSX/Xcode only provide clang, and gcc is a wrapper to it. Signed-off-by: Torsten Bögershausen <tboegi@web.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
* | | | | | Merge branch 'jk/pack-idx-corruption-safety'Junio C Hamano2016-03-044-0/+207
|\ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The code to read the pack data using the offsets stored in the pack idx file has been made more carefully check the validity of the data in the idx. * jk/pack-idx-corruption-safety: sha1_file.c: mark strings for translation use_pack: handle signed off_t overflow nth_packed_object_offset: bounds-check extended offset t5313: test bounds-checks of corrupted/malicious pack/idx files
| * | | | | | sha1_file.c: mark strings for translationNguyễn Thái Ngọc Duy2016-02-271-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
| * | | | | | use_pack: handle signed off_t overflowJeff King2016-02-252-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A v2 pack index file can specify an offset within a packfile of up to 2^64-1 bytes. On a system with a signed 64-bit off_t, we can represent only up to 2^63-1. This means that a corrupted .idx file can end up with a negative offset in the pack code. Our bounds-checking use_pack function looks for too-large offsets, but not for ones that have wrapped around to negative. Let's do so, which fixes an out-of-bounds access demonstrated in t5313. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
| * | | | | | nth_packed_object_offset: bounds-check extended offsetJeff King2016-02-254-1/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If a pack .idx file has a corrupted offset for an object, we may try to access an offset in the .idx or .pack file that is larger than the file's size. For the .pack case, we have use_pack() to protect us, which realizes the access is out of bounds. But if the corrupted value asks us to look in the .idx file's secondary 64-bit offset table, we blindly add it to the mmap'd index data and access arbitrary memory. We can fix this with a simple bounds-check compared to the size we found when we opened the .idx file. Note that there's similar code in index-pack that is triggered only during "index-pack --verify". To support both, we pull the bounds-check into a separate function, which dies when it sees a corrupted file. It would be nice if we could return an error, so that the pack code could try to find a good copy of the object elsewhere. Currently nth_packed_object_offset doesn't have any way to return an error, but it could probably use "0" as a sentinel value (since no object can start there). This is the minimal fix, and we can improve the resilience later on top. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>