[PATCH 2/2] fix "bundle --stdin" segfault

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Jonathan Nieder

Subject: [PATCH 2/2] fix "bundle --stdin" segfault

Date: Monday, April 19, 2010 - 1:03 am

When passed an empty list, objects_array_remove_duplicates() corrupts
it by changing the number of entries from 0 to 1.

The problem lies in the condition of its main loop:

	for (ref = 0; ref < array->nr - 1; ref++) {

The loop body manipulates the supplied object array.  In the case of
an empty array, it should not be doing anything at all.  But array->nr
is an unsigned quantity, so the code enters the loop, in particular
increasing array->nr.  Fix this by comparing (ref + 1 < array->nr)
instead.

This bug can be triggered by git bundle --stdin:

	$ echo HEAD | git bundle create some.bundle --stdin’
	Segmentation fault (core dumped)

The list of commits to bundle appears to be empty because of another
bug: by the time the revision-walking machinery gets to look at it,
standard input has already been consumed by rev-list, so
...remove_duplicates() gets an empty list of revisions.

After this patch, git bundle --stdin still does not work; it just
doesn’t segfault any more.

Reported-by: Joey Hess <joey@kitenet.net>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
---
 object.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/object.c b/object.c
index 3ca92c4..277b3dd 100644
--- a/object.c
+++ b/object.c
@@ -252,10 +252,10 @@ void add_object_array_with_mode(struct object *obj, const char *name, struct obj
 
 void object_array_remove_duplicates(struct object_array *array)
 {
-	int ref, src, dst;
+	unsigned int ref, src, dst;
 	struct object_array_entry *objects = array->objects;
 
-	for (ref = 0; ref < array->nr - 1; ref++) {
+	for (ref = 0; ref + 1 < array->nr; ref++) {
 		for (src = ref + 1, dst = src;
 		     src < array->nr;
 		     src++) {
-- 
1.7.1.rc1

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

bug: git-bundle create foo --stdin -> segfault, Joey Hess, (Mon Jan 18, 5:26 pm)

Re: bug: git-bundle create foo --stdin -> segfault, Johannes Schindelin, (Tue Jan 19, 4:52 pm)

[PATCH 0/2] test bundle --stdin, fix objects_array_remove_ ..., Jonathan Nieder, (Mon Apr 19, 12:14 am)

[PATCH 1/2] t5704 (bundle): add tests for bundle --stdin, Jonathan Nieder, (Mon Apr 19, 1:03 am)

[PATCH 2/2] fix "bundle --stdin" segfault, Jonathan Nieder, (Mon Apr 19, 1:03 am)

Re: [PATCH 0/2] test bundle --stdin, fix objects_array_rem ..., Junio C Hamano, (Mon Apr 19, 10:16 pm)

[RFC/PATCH 0/8] Re: bug: git-bundle create foo --stdin -> ..., Jonathan Nieder, (Fri Jun 25, 11:17 pm)

[PATCH 1/8] bundle: split basis discovery into its own fun ..., Jonathan Nieder, (Fri Jun 25, 11:19 pm)

[PATCH 2/8] bundle: use libified rev-list --boundary, Jonathan Nieder, (Fri Jun 25, 11:20 pm)

[PATCH 3/8] bundle: give list_prerequisites() loop body it ..., Jonathan Nieder, (Fri Jun 25, 11:20 pm)

[PATCH 4/8] bundle: split table of contents output into it ..., Jonathan Nieder, (Fri Jun 25, 11:21 pm)

[PATCH 5/8] bundle: reuse setup_revisions result, Jonathan Nieder, (Fri Jun 25, 11:22 pm)

[PATCH 6/8] Fix bundle --stdin, Jonathan Nieder, (Fri Jun 25, 11:28 pm)

[RFC/PATCH 7/8] bundle: Keep names of basis refs after dis ..., Jonathan Nieder, (Fri Jun 25, 11:29 pm)

[PATCH 8/8] bundle_create: Do not exit when given no revs ..., Jonathan Nieder, (Fri Jun 25, 11:31 pm)

Re: [PATCH 2/8] bundle: use libified rev-list --boundary, Junio C Hamano, (Wed Jun 30, 10:57 am)

Re: [PATCH 3/8] bundle: give list_prerequisites() loop bod ..., Junio C Hamano, (Wed Jun 30, 11:04 am)

Re: [PATCH 2/8] bundle: use libified rev-list --boundary, Jonathan Nieder, (Wed Jun 30, 1:34 pm)

Re: [PATCH 3/8] bundle: give list_prerequisites() loop bod ..., Jonathan Nieder, (Wed Jun 30, 1:37 pm)


linux-kernel:
Mel Gorman	Re: [PATCH 1/4] vmstat: remove zone->lock from walk_zones_in_node
Guenter Roeck	Re: [lm-sensors] Location for thermal drivers
David Woodhouse	Re: RFC: Moving firmware blobs out of the kernel.
Siddha, Suresh B	Re: [PATCH 2.6.21 review I] [11/25] x86: default to physical mode on hotplug CPU k...
Peter Zijlstra	Re: [patch 4/6] mm: merge populate and nopage into fault (fixes nonlinear)
git-commits-head:
Linux Kernel Mailing List	[MIPS] Fix potential latency problem due to non-atomic cpu_wait.
Linux Kernel Mailing List	USB: rename USB_SPEED_VARIABLE to USB_SPEED_WIRELESS
Linux Kernel Mailing List	lib/vsprintf.c: fix bug omitting minus sign of numbers (module_param)
Linux Kernel Mailing List	[Bluetooth] Initiate authentication during connection establishment
Linux Kernel Mailing List	[POWERPC] 4xx: Add ppc40x_defconfig
linux-netdev:
MERCEDES	Your mail id has won 950,000.00 in the MERCEDES Benz Online Promo.for claims send:
David Miller	Re: [PATCH] xen/netfront: do not mark packets of length < MSS as GSO
David Miller	Re: skb_segment() questions
Shan Wei	[RFC PATCH net-next 2/5]IPv6:netfilter: Send an ICMPv6 "Fragment Reassembly Timeou...
Stanislaw Gruszka	[PATCH 1/4] bnx2x: use smp_mb() to keep ordering of read write operations
git:
Nicolas Sebrecht	git-svn died of signal 11 (was "3 failures on test t9100 (svn)")
Junio C Hamano	Re: [PATCH 2/2] Add url.<base>.pushInsteadOf: URL rewriting for push only
Martin Langhoff	Re: [PATCH] GIT commit statistics.
Alexandre Julliard	[PATCH] gitweb: Put back shortlog instead of graphiclog in the project list.
Josh Triplett	[PATCH 2/2] Add url.<base>.pushInsteadOf: URL rewriting for push only
openbsd-misc:
Taisto Qvist XX	Re: AMD GEODE LX-800 just works with kernel from install42.iso and kernelpanics wi...
Nico Meijer	Re: gOS Develop Kit with VIA pc-1 Processor Platform VIA C7-D
Andreas Bihlmaier	Re: jetway board sensors (Fintek F71805F)
admin	Drive a 2009 car from R799p/m
Antti Harri	Re: how to create a sha256 hash