Commit Graph

42854 Commits

Author SHA1 Message Date
Jiang Xin
75b01c2190 Merge branch 'master' of https://github.com/vnwildman/git
* 'master' of https://github.com/vnwildman/git:
  l10n: vi.po (2509t): Updated Vietnamese translation
2016-02-29 23:31:58 +08:00
Tran Ngoc Quan
0c966d8450 l10n: vi.po (2509t): Updated Vietnamese translation
Signed-off-by: Tran Ngoc Quan <vnwildman@gmail.com>
2016-02-29 07:47:45 +07:00
Torsten Bögershausen
7b6daf8d2f config.mak.uname: use clang for Mac OS X 10.6
Gcc under Mac OX 10.6 throws an internal compiler error:

CC combine-diff.o
    combine-diff.c: In function ‘diff_tree_combined’:
    combine-diff.c:1391: internal compiler error: Segmentation fault

while attempting to build Git at 5b442c4f (tree-diff: catch integer
overflow in combine_diff_path allocation, 2016-02-19).

As clang that ships with the version does not have the same bug,
make Git compile under Mac OS X 10.6 by using clang instead of gcc
to work this around, as it is unlikely that we will see fixed GCC
on that platform.

Later versions of Mac OSX/Xcode only provide clang, and gcc is a
wrapper to it.

Signed-off-by: Torsten Bögershausen <tboegi@web.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-02-28 16:34:23 -08:00
Jean-Noel Avila
3d8b14c2bc l10n: fr.po v2.8.0 round 1 2509t
Signed-off-by: Jean-Noel Avila <jn.avila@free.fr>
2016-02-28 22:44:35 +01:00
John Keeping
24990b2feb Documentation/git-config: fix --get-all description
--get does not fail if a key is multi-valued, it returns the last value
as described in its documentation.  Clarify the description of --get-all
to avoid implying that --get does fail in this case.

Signed-off-by: John Keeping <john@keeping.me.uk>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-02-28 12:01:45 -08:00
John Keeping
94c5b0e8b9 Documentation/git-config: use bulleted list for exit codes
Using a numbered list is confusing because the exit codes are not listed
in order so the numbers at the start of each line do not match the exit
codes described by the following text.  Switch to a bulleted list so
that the only number appearing on each line is the exit code described.

Signed-off-by: John Keeping <john@keeping.me.uk>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-02-28 12:01:45 -08:00
John Keeping
27b30be686 config: fail if --get-urlmatch finds no value
The --get, --get-all and --get-regexp options to git-config exit with
status 1 if the key is not found but --get-urlmatch succeeds in this
case.

Change --get-urlmatch to behave in the same way as the other --get*
options so that all four are consistent.  --get-color is a special case
because it accepts a default value to return and so should not return an
error if the key is not found.

Also clarify this behaviour in the documentation.

Signed-off-by: John Keeping <john@keeping.me.uk>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-02-28 12:01:45 -08:00
Jeff King
01143847db add--interactive: allow custom diff highlighting programs
The patch hunk selector of add--interactive knows how ask
git for colorized diffs, and correlate them with the
uncolored diffs we apply. But there's not any way for
somebody who uses a diff-filter tool like contrib's
diff-highlight to see their normal highlighting.

This patch lets users define an arbitrary shell command to
pipe the colorized diff through. The exact output shouldn't
matter (since we just show the result to humans) as long as
it is line-compatible with the original diff (so that
hunk-splitting can split the colorized version, too).

I left two minor issues with the new system that I don't
think are worth fixing right now, but could be done later:

  1. We only filter colorized diffs. Theoretically a user
     could want to filter a non-colorized diff, but I find
     it unlikely in practice. Users who are doing things
     like diff-highlighting are likely to want color, too.

  2. add--interactive will re-colorize a diff which has been
     hand-edited, but it won't have run through the filter.
     Fixing this is conceptually easy (just pipe the diff
     through the filter), but practically hard to do without
     using tempfiles (it would need to feed data to and read
     the result from the filter without deadlocking; this
     raises portability questions with respect to Windows).

I've punted on both issues for now, and if somebody really
cares later, they can do a patch on top.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-02-28 10:53:54 -08:00
Jeff King
a4e21fb4dc t1515: add tests for rev-parse out-of-repo helpers
The git-rev-parse command is a dumping ground for helpers
that let scripts make various queries of git. Many of these
are conceptually independent of being inside a git
repository.

With the exception of --parseopt, we do not directly test
most of these features in our test suite. Let's give them
some basic sanity checks, which reveals that some of them
have been broken for some time when run from outside a
repository.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-02-28 10:35:26 -08:00
Audric Schiltknecht
a56b3a9676 l10n: fr.po: Correct case in sentence
Signed-off-by: Audric Schiltknecht <storm@chemicalstorm.org>
2016-02-28 16:59:18 +01:00
Jiang Xin
9eb3984b81 l10n: git.pot: v2.8.0 round 1 (48 new, 16 removed)
Generate po/git.pot from v2.8.0-rc0 for git v2.8.0 l10n round 1.

Signed-off-by: Jiang Xin <worldhello.net@gmail.com>
2016-02-28 20:32:52 +08:00
Nguyễn Thái Ngọc Duy
7465feba51 sha1_file.c: mark strings for translation
Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-02-27 09:54:57 -08:00
Junio C Hamano
f02fbc4f94 Git 2.8-rc0
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-02-26 13:45:26 -08:00
Junio C Hamano
b52cb95a13 Merge branch 'mm/readme-markdown'
README has been renamed to README.md and its contents got tweaked
slightly to make it easier on the eyes.

* mm/readme-markdown:
  README.md: move down historical explanation about the name
  README.md: don't call git stupid in the title
  README.md: move the link to git-scm.com up
  README.md: add hyperlinks on filenames
  README: use markdown syntax
2016-02-26 13:37:28 -08:00
Junio C Hamano
2e55d300f2 Merge branch 'ma/update-hooks-sample-typofix'
* ma/update-hooks-sample-typofix:
  templates/hooks: fix minor typo in the sample update-hook
2016-02-26 13:37:28 -08:00
Junio C Hamano
0f0dd370c8 Merge branch 'ls/makefile-cflags-developer-tweak'
There is a new DEVELOPER knob that enables many compiler warning
options in the Makefile.

* ls/makefile-cflags-developer-tweak:
  add DEVELOPER makefile knob to check for acknowledged warnings
2016-02-26 13:37:27 -08:00
Junio C Hamano
69616f7436 Merge branch 'dt/initial-ref-xn-commit-doc'
* dt/initial-ref-xn-commit-doc:
  refs: document transaction semantics
2016-02-26 13:37:27 -08:00
Junio C Hamano
d3faba840e Merge branch 'js/config-set-in-non-repository'
"git config section.var value" to set a value in per-repository
configuration file failed when it was run outside any repository,
but didn't say the reason correctly.

* js/config-set-in-non-repository:
  git config: report when trying to modify a non-existing repo config
2016-02-26 13:37:26 -08:00
Junio C Hamano
8ef250c559 Merge branch 'jk/epipe-in-async'
Handling of errors while writing into our internal asynchronous
process has been made more robust, which reduces flakiness in our
tests.

* jk/epipe-in-async:
  t5504: handle expected output from SIGPIPE death
  test_must_fail: report number of unexpected signal
  fetch-pack: ignore SIGPIPE in sideband demuxer
  write_or_die: handle EPIPE in async threads
2016-02-26 13:37:26 -08:00
Junio C Hamano
15be621072 Merge branch 'mm/push-default-warning'
Across the transition at around Git version 2.0, the user used to
get a pretty loud warning when running "git push" without setting
push.default configuration variable.  We no longer warn, given that
the transition is over long time ago.

* mm/push-default-warning:
  push: remove "push.default is unset" warning message
2016-02-26 13:37:25 -08:00
Junio C Hamano
4ce064dd81 Merge branch 'fa/merge-recursive-no-rename'
"git merge-recursive" learned "--no-renames" option to disable its
rename detection logic.

* fa/merge-recursive-no-rename:
  t3034: test deprecated interface
  t3034: test option to disable renames
  t3034: add rename threshold tests
  merge-recursive: find-renames resets threshold
  merge-strategies.txt: fix typo
  merge-recursive: more consistent interface
  merge-recursive: option to disable renames
2016-02-26 13:37:25 -08:00
Junio C Hamano
9671a76c17 Merge branch 'sb/submodule-fetch-nontip'
When "git submodule update" did not result in fetching the commit
object in the submodule that is referenced by the superproject, the
command learned to retry another fetch, specifically asking for
that commit that may not be connected to the refs it usually
fetches.

* sb/submodule-fetch-nontip:
  submodule: try harder to fetch needed sha1 by direct fetching sha1
2016-02-26 13:37:24 -08:00
Junio C Hamano
03f682bf74 Merge branch 'sb/submodule-module-list-fix'
A helper function "git submodule" uses since v2.7.0 to list the
modules that match the pathspec argument given to its subcommands
(e.g. "submodule add <repo> <path>") has been fixed.

* sb/submodule-module-list-fix:
  submodule helper list: respect correct path prefix
2016-02-26 13:37:24 -08:00
Junio C Hamano
c6b94eb009 Merge branch 'tb/conversion'
Code simplification.

* tb/conversion:
  convert.c: correct attr_action()
  convert.c: simplify text_stat
  convert.c: refactor crlf_action
  convert.c: use text_eol_is_crlf()
  convert.c: remove input_crlf_action()
  convert.c: remove unused parameter 'path'
  t0027: add tests for get_stream_filter()
2016-02-26 13:37:23 -08:00
Junio C Hamano
316336379c Merge branch 'jk/grep-binary-workaround-in-test'
Recent versions of GNU grep are pickier when their input contains
arbitrary binary data, which some of our tests uses.  Rewrite the
tests to sidestep the problem.

* jk/grep-binary-workaround-in-test:
  t9200: avoid grep on non-ASCII data
  t8005: avoid grep on non-ASCII data
2016-02-26 13:37:23 -08:00
Junio C Hamano
c1fa85ff8c Merge branch 'ps/plug-xdl-merge-leak'
* ps/plug-xdl-merge-leak:
  xdiff/xmerge: fix memory leak in xdl_merge
2016-02-26 13:37:22 -08:00
Junio C Hamano
1e4c08ff7e Merge branch 'mm/push-simple-doc'
The documentation did not clearly state that the 'simple' mode is
now the default for "git push" when push.default configuration is
not set.

* mm/push-simple-doc:
  Documentation/git-push: document that 'simple' is the default
2016-02-26 13:37:21 -08:00
Junio C Hamano
2a24444aae Merge branch 'jg/credential-cache-chdir-to-sockdir'
The "credential-cache" daemon process used to run in whatever
directory it happened to start in, but this made umount(2)ing the
filesystem that houses the repository harder; now the process
chdir()s to the directory that house its own socket on startup.

* jg/credential-cache-chdir-to-sockdir:
  credential-cache--daemon: change to the socket dir on startup
  credential-cache--daemon: disallow relative socket path
  credential-cache--daemon: refactor check_socket_directory
2016-02-26 13:37:20 -08:00
Junio C Hamano
225caa73f2 Merge branch 'ps/config-error'
Many codepaths forget to check return value from git_config_set();
the function is made to die() to make sure we do not proceed when
setting a configuration variable failed.

* ps/config-error:
  config: rename git_config_set_or_die to git_config_set
  config: rename git_config_set to git_config_set_gently
  compat: die when unable to set core.precomposeunicode
  sequencer: die on config error when saving replay opts
  init-db: die on config errors when initializing empty repo
  clone: die on config error in cmd_clone
  remote: die on config error when manipulating remotes
  remote: die on config error when setting/adding branches
  remote: die on config error when setting URL
  submodule--helper: die on config error when cloning module
  submodule: die on config error when linking modules
  branch: die on config error when editing branch description
  branch: die on config error when unsetting upstream
  branch: report errors in tracking branch setup
  config: introduce set_or_die wrappers
2016-02-26 13:37:19 -08:00
Junio C Hamano
56d4e7e6c3 Merge branch 'mg/work-tree-tests'
Traditionally, the tests that try commands that work on the
contents in the working tree were named with "worktree" in their
filenames, but with the recent addition of "git worktree"
subcommand, whose tests are also named similarly, it has become
harder to tell them apart.  The traditional tests have been renamed
to use "work-tree" instead in an attempt to differentiate them.

* mg/work-tree-tests:
  tests: rename work-tree tests to *work-tree*
2016-02-26 13:37:18 -08:00
Junio C Hamano
dd0f567f10 Merge branch 'ls/config-origin'
The configuration system has been taught to phrase where it found a
bad configuration variable in a better way in its error messages.
"git config" learnt a new "--show-origin" option to indicate where
the values come from.

* ls/config-origin:
  config: add '--show-origin' option to print the origin of a config value
  config: add 'origin_type' to config_source struct
  rename git_config_from_buf to git_config_from_mem
  t: do not hide Git's exit code in tests using 'nul_to_q'
2016-02-26 13:37:17 -08:00
Junio C Hamano
11529ecec9 Merge branch 'jk/tighten-alloc'
Update various codepaths to avoid manually-counted malloc().

* jk/tighten-alloc: (22 commits)
  ewah: convert to REALLOC_ARRAY, etc
  convert ewah/bitmap code to use xmalloc
  diff_populate_gitlink: use a strbuf
  transport_anonymize_url: use xstrfmt
  git-compat-util: drop mempcpy compat code
  sequencer: simplify memory allocation of get_message
  test-path-utils: fix normalize_path_copy output buffer size
  fetch-pack: simplify add_sought_entry
  fast-import: simplify allocation in start_packfile
  write_untracked_extension: use FLEX_ALLOC helper
  prepare_{git,shell}_cmd: use argv_array
  use st_add and st_mult for allocation size computation
  convert trivial cases to FLEX_ARRAY macros
  use xmallocz to avoid size arithmetic
  convert trivial cases to ALLOC_ARRAY
  convert manual allocations to argv_array
  argv-array: add detach function
  add helpers for allocating flex-array structs
  harden REALLOC_ARRAY and xcalloc against size_t overflow
  tree-diff: catch integer overflow in combine_diff_path allocation
  ...
2016-02-26 13:37:16 -08:00
Junio C Hamano
3ed26a44b3 Merge branch 'jk/more-comments-on-textconv'
The memory ownership rule of fill_textconv() API, which was a bit
tricky, has been documented a bit better.

* jk/more-comments-on-textconv:
  diff: clarify textconv interface
2016-02-26 13:37:15 -08:00
Junio C Hamano
18b26b18c5 Merge branch 'jk/no-diff-emit-common'
"git merge-tree" used to mishandle "both sides added" conflict with
its own "create a fake ancestor file that has the common parts of
what both sides have added and do a 3-way merge" logic; this has
been updated to use the usual "3-way merge with an empty blob as
the fake common ancestor file" approach used in the rest of the
system.

* jk/no-diff-emit-common:
  xdiff: drop XDL_EMIT_COMMON
  merge-tree: drop generate_common strategy
  merge-one-file: use empty blob for add/add base
2016-02-26 13:37:14 -08:00
Junio C Hamano
dede29612a Merge branch 'ak/git-strip-extension-from-dashed-command'
Code simplification.

* ak/git-strip-extension-from-dashed-command:
  git.c: simplify stripping extension of a file in handle_builtin()
2016-02-26 13:37:13 -08:00
Junio C Hamano
7943cba1de Merge branch 'ak/extract-argv0-last-dir-sep'
Code simplification.

* ak/extract-argv0-last-dir-sep:
  exec_cmd.c: use find_last_dir_sep() for code simplification
2016-02-26 13:37:12 -08:00
Junio C Hamano
26f7b5c79a Merge branch 'kn/ref-filter-atom-parsing'
The ref-filter's format-parsing code has been refactored, in
preparation for "branch --format" and friends.

* kn/ref-filter-atom-parsing:
  ref-filter: introduce objectname_atom_parser()
  ref-filter: introduce contents_atom_parser()
  ref-filter: introduce remote_ref_atom_parser()
  ref-filter: align: introduce long-form syntax
  ref-filter: introduce align_atom_parser()
  ref-filter: introduce parse_align_position()
  ref-filter: introduce color_atom_parser()
  ref-filter: introduce parsing functions for each valid atom
  ref-filter: introduce struct used_atom
  ref-filter: bump 'used_atom' and related code to the top
  ref-filter: use string_list_split over strbuf_split
2016-02-26 13:37:10 -08:00
Junio C Hamano
ae2f25542f Merge branch 'tg/git-remote'
The internal API to interact with "remote.*" configuration
variables has been streamlined.

* tg/git-remote:
  remote: use remote_is_configured() for add and rename
  remote: actually check if remote exits
  remote: simplify remote_is_configured()
  remote: use parse_config_key
2016-02-26 13:37:09 -08:00
Jeff King
24321375cd credential: let empty credential specs reset helper list
Sine the credential.helper key is a multi-valued config
list, there's no way to "unset" a helper once it's been set.
So if your system /etc/gitconfig sets one, you can never
avoid running it, but only add your own helpers on top.

Since an empty value for credential.helper is nonsensical
(it would just try to run "git-credential-"), we can assume
nobody is using it. Let's define it to reset the helper
list, letting you override lower-priority instances which
have come before.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-02-26 10:58:14 -08:00
Michael J Gruber
59223223f4 t/lib-httpd: load mod_unixd
In contrast to apache 2.2, apache 2.4 does not load mod_unixd in its
default configuration (because there are choices). Thus, with the
current config, apache 2.4.10 will not be started and the httpd tests
will not run on distros with default apache config (RedHat type).

Enable mod_unixd to make the httpd tests run. This does not affect
distros negatively which have that config already in their default
(Debian type). httpd tests will run on these before and after this patch.

Signed-off-by: Michael J Gruber <git@drmicha.warpmail.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-02-25 15:25:16 -08:00
Michael Procter
65a3629ea3 upload-pack: use argv_array for pack_objects
Use the argv_array in the child_process structure, to avoid having to
manually maintain an array size.

Signed-off-by: Michael Procter <michael@procter.org.uk>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-02-25 14:20:25 -08:00
Jeff King
43f3afc6bc t5504: handle expected output from SIGPIPE death
Commit 8bf4bec (add "ok=sigpipe" to test_must_fail and use
it to fix flaky tests, 2015-11-27) taught t5504 to handle
"git push" racily exiting with SIGPIPE rather than failing.

However, one of the tests checks the output of the command,
as well. In the SIGPIPE case, we will not have produced any
output. If we want the test to be truly non-flaky, we have
to accept either output.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-02-25 13:51:47 -08:00
Jeff King
f3ed0b372d test_must_fail: report number of unexpected signal
If a command is marked as test_must_fail but dies with a
signal, we consider that a problem and report the error to
stderr. However, we don't say _which_ signal; knowing that
can make debugging easier. Let's share as much as we know.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-02-25 13:51:47 -08:00
Jeff King
9ff18faf2f fetch-pack: ignore SIGPIPE in sideband demuxer
If the other side feeds us a bogus pack, index-pack (or
unpack-objects) may die early, before consuming all of its
input. As a result, the sideband demuxer may get SIGPIPE
(racily, depending on whether our data made it into the pipe
buffer or not). If this happens and we are compiled with
pthread support, it will take down the main thread, too.

This isn't the end of the world, as the main process will
just die() anyway when it sees index-pack failed. But it
does mean we don't get a chance to say "fatal: index-pack
failed" or similar. And it also means that we racily fail
t5504, as we sometimes die() and sometimes are killed by
SIGPIPE.

So let's ignore SIGPIPE while demuxing the sideband. We are
already careful to check the return value of write(), so we
won't waste time writing to a broken pipe. The caller will
notice the error return from the async thread, though in
practice we don't even get that far, as we die() as soon as
we see that index-pack failed.

The non-sideband case is already fine; we let index-pack
read straight from the socket, so there is no SIGPIPE at
all. Technically the non-threaded async case is also OK
without this (the forked async process gets SIGPIPE), but
it's not worth distinguishing from the threaded case here.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-02-25 13:51:47 -08:00
Jeff King
9658846ce3 write_or_die: handle EPIPE in async threads
When write_or_die() sees EPIPE, it treats it specially by
converting it into a SIGPIPE death. We obviously cannot
ignore it, as the write has failed and the caller expects us
to die. But likewise, we cannot just call die(), because
printing any message at all would be a nuisance during
normal operations.

However, this is a problem if write_or_die() is called from
a thread. Our raised signal ends up killing the whole
process, when logically we just need to kill the thread
(after all, if we are ignoring SIGPIPE, there is good reason
to think that the main thread is expecting to handle it).

Inside an async thread, the die() code already does the
right thing, because we use our custom die_async() routine,
which calls pthread_join(). So ideally we would piggy-back
on that, and simply call:

  die_quietly_with_code(141);

or similar. But refactoring the die code to do this is
surprisingly non-trivial. The die_routines themselves handle
both printing and the decision of the exit code. Every one
of them would have to be modified to take new parameters for
the code, and to tell us to be quiet.

Instead, we can just teach write_or_die() to check for the
async case and handle it specially. We do have to build an
interface to abstract the async exit, but it's simple and
self-contained. If we had many call-sites that wanted to do
this die_quietly_with_code(), this approach wouldn't scale
as well, but we don't. This is the only place where do this
weird exit trick.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-02-25 13:51:45 -08:00
Lars Schneider
658df95a4a add DEVELOPER makefile knob to check for acknowledged warnings
We assume Git developers have a reasonably modern compiler and recommend
them to enable the DEVELOPER makefile knob to ensure their patches are
clear of all compiler warnings the Git core project cares about.

Enable the DEVELOPER makefile knob in the Travis-CI build.

Suggested-by: Jeff King <peff@peff.net>
Signed-off-by: Lars Schneider <larsxschneider@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-02-25 12:49:45 -08:00
David Turner
49386868de refs: document transaction semantics
Add some comments on ref transaction semantics to refs.h

Signed-off-by: David Turner <dturner@twopensource.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-02-25 12:35:31 -08:00
Jeff King
13e0b0d3dc use_pack: handle signed off_t overflow
A v2 pack index file can specify an offset within a packfile
of up to 2^64-1 bytes. On a system with a signed 64-bit
off_t, we can represent only up to 2^63-1. This means that a
corrupted .idx file can end up with a negative offset in the
pack code. Our bounds-checking use_pack function looks for
too-large offsets, but not for ones that have wrapped around
to negative. Let's do so, which fixes an out-of-bounds
access demonstrated in t5313.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-02-25 11:32:46 -08:00
Jeff King
47fe3f6ef0 nth_packed_object_offset: bounds-check extended offset
If a pack .idx file has a corrupted offset for an object, we
may try to access an offset in the .idx or .pack file that
is larger than the file's size.  For the .pack case, we have
use_pack() to protect us, which realizes the access is out
of bounds. But if the corrupted value asks us to look in the
.idx file's secondary 64-bit offset table, we blindly add it
to the mmap'd index data and access arbitrary memory.

We can fix this with a simple bounds-check compared to the
size we found when we opened the .idx file.

Note that there's similar code in index-pack that is
triggered only during "index-pack --verify". To support
both, we pull the bounds-check into a separate function,
which dies when it sees a corrupted file.

It would be nice if we could return an error, so that the
pack code could try to find a good copy of the object
elsewhere. Currently nth_packed_object_offset doesn't have
any way to return an error, but it could probably use "0" as
a sentinel value (since no object can start there). This is
the minimal fix, and we can improve the resilience later on
top.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-02-25 11:32:43 -08:00
Jeff King
a1283866ba t5313: test bounds-checks of corrupted/malicious pack/idx files
Our on-disk .pack and .idx files may reference other data by
offset. We should make sure that we are not fooled by
corrupt data into accessing memory outside of our mmap'd
boundaries.

This patch adds a series of tests for offsets found in .pack
and .idx files. For the most part we get this right, but
there are two tests of .idx files marked as failures: we do
not bounds-check offsets in the v2 index's extended offset
table, nor do we handle .idx offsets that overflow a signed
off_t.

With these tests, we should have good coverage of all
offsets found in these files. Note that this doesn't cover
.bitmap files, which may have similar bugs.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2016-02-25 11:32:41 -08:00