From b717510550f48a7817b8bc56eb0d079e6702ff60 Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Thu, 24 May 2018 14:03:46 -0400 Subject: [PATCH] Fix segfault in rev-parse with invalid input (#1581678) --- ...lookup-ed-commit-references-for-NULL.patch | 68 +++++++++++++++++++ git.spec | 8 ++- 2 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 0001-rev-parse-check-lookup-ed-commit-references-for-NULL.patch diff --git a/0001-rev-parse-check-lookup-ed-commit-references-for-NULL.patch b/0001-rev-parse-check-lookup-ed-commit-references-for-NULL.patch new file mode 100644 index 0000000..7a78bff --- /dev/null +++ b/0001-rev-parse-check-lookup-ed-commit-references-for-NULL.patch @@ -0,0 +1,68 @@ +From 3aa1681c8661b2f798277a55ab33ce7ba787288c Mon Sep 17 00:00:00 2001 +From: Elijah Newren +Date: Wed, 23 May 2018 23:27:33 -0700 +Subject: [PATCH] rev-parse: check lookup'ed commit references for NULL + +Commits 2122f8b963d4 ("rev-parse: Add support for the ^! and ^@ syntax", +2008-07-26) and 3dd4e7320d ("Teach rev-parse the ... syntax.", 2006-07-04) +taught rev-parse new syntax, and used lookup_commit_reference() as part of +their logic. Neither usage checked the returned commit to see if it was +non-NULL before using it. Check for NULL and ensure an appropriate error +is reported to the user. + +Reported by Florian Weimer and Todd Zullinger. + +Helped-by: Jeff King +Signed-off-by: Elijah Newren +--- + builtin/rev-parse.c | 8 ++++++-- + t/t6101-rev-parse-parents.sh | 8 ++++++++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/builtin/rev-parse.c b/builtin/rev-parse.c +index a1e680b5e9..a0a0ace38d 100644 +--- a/builtin/rev-parse.c ++++ b/builtin/rev-parse.c +@@ -282,6 +282,10 @@ static int try_difference(const char *arg) + struct commit *a, *b; + a = lookup_commit_reference(&start_oid); + b = lookup_commit_reference(&end_oid); ++ if (!a || !b) { ++ *dotdot = '.'; ++ return 0; ++ } + exclude = get_merge_bases(a, b); + while (exclude) { + struct commit *commit = pop_commit(&exclude); +@@ -328,12 +332,12 @@ static int try_parent_shorthands(const char *arg) + return 0; + + *dotdot = 0; +- if (get_oid_committish(arg, &oid)) { ++ if (get_oid_committish(arg, &oid) || ++ !(commit = lookup_commit_reference(&oid))) { + *dotdot = '^'; + return 0; + } + +- commit = lookup_commit_reference(&oid); + if (exclude_parent && + exclude_parent > commit_list_count(commit->parents)) { + *dotdot = '^'; +diff --git a/t/t6101-rev-parse-parents.sh b/t/t6101-rev-parse-parents.sh +index 8c617981a3..7683e4a114 100755 +--- a/t/t6101-rev-parse-parents.sh ++++ b/t/t6101-rev-parse-parents.sh +@@ -214,4 +214,12 @@ test_expect_success 'rev-list merge^-1x (garbage after ^-1)' ' + test_must_fail git rev-list merge^-1x + ' + ++test_expect_success 'rev-parse $garbage^@ does not segfault' ' ++ test_must_fail git rev-parse $EMPTY_TREE^@ ++' ++ ++test_expect_success 'rev-parse $garbage...$garbage does not segfault' ' ++ test_must_fail git rev-parse $EMPTY_TREE...$EMPTY_BLOB ++' ++ + test_done diff --git a/git.spec b/git.spec index 782e8d9..50ca2b7 100644 --- a/git.spec +++ b/git.spec @@ -83,7 +83,7 @@ Name: git Version: 2.17.0 -Release: 3%{?rcrev}%{?dist} +Release: 4%{?rcrev}%{?dist} Summary: Fast Version Control System License: GPLv2 URL: https://git-scm.com/ @@ -120,6 +120,9 @@ Patch1: git-cvsimport-Ignore-cvsps-2.2b1-Branches-output.patch Patch2: 0001-git-svn-avoid-warning-on-undef-readline.patch # https://github.com/gitster/git/commit/e67d906.patch Patch3: 0001-daemon.c-fix-condition-for-redirecting-stderr.patch +# https://bugzilla.redhat.com/1581678 +# https://public-inbox.org/git/20180524062733.5412-1-newren@gmail.com/ +Patch4: 0001-rev-parse-check-lookup-ed-commit-references-for-NULL.patch %if %{with docs} BuildRequires: asciidoc >= 8.4.1 @@ -886,6 +889,9 @@ make test || ./print-failed-test-output %{?with_docs:%{_pkgdocdir}/git-svn.html} %changelog +* Thu May 24 2018 Todd Zullinger - 2.17.0-4 +- Fix segfault in rev-parse with invalid input (#1581678) + * Mon Apr 16 2018 Todd Zullinger - 2.17.0-3 - Move linkcheck macro to existing fedora/rhel > 7 block - Re-enable t5000-tar-tree.sh test on f28