delta/libgit2.git/src/commit.c, branch ethomson/proxy github.com: libgit2/libgit2.git commit: fix out-of-bound reads when parsing truncated author fields 2018-11-21T10:01:30+00:00 Patrick Steinhardt ps@pks.im 2018-11-21T09:54:29+00:00 cb23c3efd22d34db279ceb39cc312473761db5ed While commit objects usually should have only one author field, our commit parser actually handles the case where a commit has multiple author fields because some tools that exist in the wild actually write them. Detection of those additional author fields is done by using a simple `git__prefixcmp`, checking whether the current line starts with the string "author ". In case where we are handed a non-NUL-terminated string that ends directly after the space, though, we may have an out-of-bounds read of one byte when trying to compare the expected final NUL byte. Fix the issue by using `git__prefixncmp` instead of `git_prefixcmp`. Unfortunately, a test cannot be easily written to catch this case. While we could test the last error message and verify that it didn't in fact fail parsing a signature (because that would indicate that it has in fact tried to parse the additional "author " field, which it shouldn't be able to detect in the first place), this doesn't work as the next line needs to be the "committer" field, which would error out with the same error message even if we hadn't done an out-of-bounds read. As objects read from the object database are always NUL terminated, this issue cannot be triggered in normal code and thus it's not security critical. 
While commit objects usually should have only one author field, our commit
parser actually handles the case where a commit has multiple author fields
because some tools that exist in the wild actually write them. Detection of
those additional author fields is done by using a simple `git__prefixcmp`,
checking whether the current line starts with the string "author ". In case
where we are handed a non-NUL-terminated string that ends directly after the
space, though, we may have an out-of-bounds read of one byte when trying to
compare the expected final NUL byte.

Fix the issue by using `git__prefixncmp` instead of `git_prefixcmp`.
Unfortunately, a test cannot be easily written to catch this case. While we
could test the last error message and verify that it didn't in fact fail parsing
a signature (because that would indicate that it has in fact tried to parse the
additional "author " field, which it shouldn't be able to detect in the first
place), this doesn't work as the next line needs to be the "committer" field,
which would error out with the same error message even if we hadn't done an
out-of-bounds read.

As objects read from the object database are always NUL terminated, this issue
cannot be triggered in normal code and thus it's not security critical.
commit: fix reading out of bounds when parsing encoding 2018-10-25T10:52:54+00:00 Patrick Steinhardt ps@pks.im 2018-10-19T08:29:19+00:00 7655b2d89e8275853d9921dd903dcdad9b3d4a7b The commit message encoding is currently being parsed by the `git__prefixcmp` function. As this function does not accept a buffer length, it will happily skip over a buffer's end if it is not `NUL` terminated. Fix the issue by using `git__prefixncmp` instead. Add a test that verifies that we are unable to parse the encoding field if it's cut off by the supplied buffer length. 
The commit message encoding is currently being parsed by the
`git__prefixcmp` function. As this function does not accept a buffer
length, it will happily skip over a buffer's end if it is not `NUL`
terminated.

Fix the issue by using `git__prefixncmp` instead. Add a test that
verifies that we are unable to parse the encoding field if it's cut off
by the supplied buffer length.
commit: implement function to parse raw data 2018-06-22T07:50:07+00:00 Patrick Steinhardt ps@pks.im 2017-10-13T11:11:59+00:00 ab265a351044e724b6c9049f404e9de64c732130 Currently, parsing objects is strictly tied to having an ODB object available. This makes it hard to parse an object when all that is available is its raw object and size. Furthermore, hacking around that limitation by directly creating an ODB structure either on stack or on heap does not really work that well due to ODB objects being reference counted and then automatically free'd when reaching a reference count of zero. Implement a function `git_commit__parse_raw` to parse a commit object from a pair of `data` and `size`. 
Currently, parsing objects is strictly tied to having an ODB object
available. This makes it hard to parse an object when all that is
available is its raw object and size. Furthermore, hacking around that
limitation by directly creating an ODB structure either on stack or on
heap does not really work that well due to ODB objects being reference
counted and then automatically free'd when reaching a reference count of
zero.

Implement a function `git_commit__parse_raw` to parse a commit object
from a pair of `data` and `size`.
mailmap: API and style cleanup 2018-06-15T05:43:28+00:00 Nika Layzell nika@thelayzells.com 2018-05-07T18:59:00+00:00 56303e1ade453648230115cdaaba8244273f3315 






mailmap: Integrate mailmaps with blame and signatures
2018-06-15T05:43:27+00:00

Nika Layzell
nika@thelayzells.com

2018-03-17T22:15:01+00:00

e3dcaca579ba344ccdacfe4835dcc7bf52c5ba57












Convert usage of `git_buf_free` to new `git_buf_dispose`
2018-06-10T17:34:37+00:00

Patrick Steinhardt
ps@pks.im

2018-02-08T11:14:48+00:00

ecf4f33a4e327a91496f72816f9f02d923e5af05












Make sure to always include "common.h" first
2017-07-03T08:51:48+00:00

Patrick Steinhardt
ps@pks.im

2017-06-30T11:39:01+00:00

0c7f49dd4316b332f30b4ea72a657bace41e1245

Next to including several files, our "common.h" header also declares
various macros which are then used throughout the project. As such, we
have to make sure to always include this file first in all
implementation files. Otherwise, we might encounter problems or even
silent behavioural differences due to macros or defines not being
defined as they should be. So in fact, our header and implementation
files should make sure to always include "common.h" first.

This commit does so by establishing a common include pattern. Header
files inside of "src" will now always include "common.h" as its first
other file, separated by a newline from all the other includes to make
it stand out as special. There are two cases for the implementation
files. If they do have a matching header file, they will always include
this one first, leading to "common.h" being transitively included as
first file. If they do not have a matching header file, they instead
include "common.h" as first file themselves.

This fixes the outlined problems and will become our standard practice
for header and source files inside of the "src/" from now on.





Next to including several files, our "common.h" header also declares
various macros which are then used throughout the project. As such, we
have to make sure to always include this file first in all
implementation files. Otherwise, we might encounter problems or even
silent behavioural differences due to macros or defines not being
defined as they should be. So in fact, our header and implementation
files should make sure to always include "common.h" first.

This commit does so by establishing a common include pattern. Header
files inside of "src" will now always include "common.h" as its first
other file, separated by a newline from all the other includes to make
it stand out as special. There are two cases for the implementation
files. If they do have a matching header file, they will always include
this one first, leading to "common.h" being transitively included as
first file. If they do not have a matching header file, they instead
include "common.h" as first file themselves.

This fixes the outlined problems and will become our standard practice
for header and source files inside of the "src/" from now on.







git_commit_create: freshen tree objects in commit
2017-03-03T14:12:00+00:00

Edward Thomson
ethomson@github.com

2017-03-03T13:26:29+00:00

52d03f37f70ebde3e0a7794a60dbf68d0e69b9e8

Freshen the tree object that a commit points to during commit time.





Freshen the tree object that a commit points to during commit time.







commit: avoid possible use-after-free
2017-02-13T12:50:52+00:00

Patrick Steinhardt
ps@pks.im

2017-02-13T12:46:17+00:00

ade0d9c658fdfc68d8046935f6908f033fe7a529

When extracting a commit's signature, we first free the object and only
afterwards put its signature contents into the result buffer. This works
in most cases - the free'd object will normally be cached anyway, so we
only end up decrementing its reference count without actually freeing
its contents. But in some more exotic setups, where caching is disabled,
this can definitly be a problem, as we might be the only instance
currently holding a reference to this object.

Fix this issue by first extracting the contents and freeing the object
afterwards only.





When extracting a commit's signature, we first free the object and only
afterwards put its signature contents into the result buffer. This works
in most cases - the free'd object will normally be cached anyway, so we
only end up decrementing its reference count without actually freeing
its contents. But in some more exotic setups, where caching is disabled,
this can definitly be a problem, as we might be the only instance
currently holding a reference to this object.

Fix this issue by first extracting the contents and freeing the object
afterwards only.







commit: clear user-provided buffers
2017-02-13T12:50:52+00:00

Patrick Steinhardt
ps@pks.im

2017-02-13T12:42:16+00:00

dc851d9eae21db8671118d798e55990e199af6af

The functions `git_commit_header_field` and
`git_commit_extract_signature` both receive buffers used to hand back
the results to the user. While these functions called `git_buf_sanitize`
on these buffers, this is not the right thing to do, as it will simply
initialize or zero-terminate passed buffers. As we want to overwrite
contents, we instead have to call `git_buf_clear` to completely reset
them.





The functions `git_commit_header_field` and
`git_commit_extract_signature` both receive buffers used to hand back
the results to the user. While these functions called `git_buf_sanitize`
on these buffers, this is not the right thing to do, as it will simply
initialize or zero-terminate passed buffers. As we want to overwrite
contents, we instead have to call `git_buf_clear` to completely reset
them.