Commit Graph

46769 Commits

Author SHA1 Message Date
Nguyễn Thái Ngọc Duy
9476c6ed3d refs: rename lookup_ref_store() to lookup_submodule_ref_store()
With get_main_ref_store() being used inside get_ref_store(),
lookup_ref_store() is only used for submodule code path. Rename to
reflect that and delete dead code.

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-27 10:23:39 -07:00
Nguyễn Thái Ngọc Duy
24c8407e0a refs.c: introduce get_main_ref_store()
Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-27 10:23:39 -07:00
Nguyễn Thái Ngọc Duy
f57f37e2e1 files-backend: remove the use of git_path()
Given $GIT_DIR and $GIT_COMMON_DIR, files-backend is now in charge of
deciding what goes where (*). The end goal is to pass $GIT_DIR only. A
refs "view" of a linked worktree is a logical ref store that combines
two files backends together.

(*) Not entirely true since strbuf_git_path_submodule() still does path
translation underneath. But that's for another patch.

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-27 10:23:39 -07:00
Nguyễn Thái Ngọc Duy
19e02f4f46 files-backend: add and use files_ref_path()
Keep repo-related path handling in one place. This will make it easier
to add submodule/multiworktree support later.

This automatically adds the "if submodule then use the submodule version
of git_path" to other call sites too. But it does not mean those
operations are submodule-ready. Not yet.

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-27 10:23:39 -07:00
Nguyễn Thái Ngọc Duy
802de3da07 files-backend: add and use files_reflog_path()
Keep repo-related path handling in one place. This will make it easier
to add submodule/multiworktree support later.

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-27 10:23:39 -07:00
Nguyễn Thái Ngọc Duy
a5c1efd693 files-backend: move "logs/" out of TMP_RENAMED_LOG
This makes reflog path building consistent, always in the form of

    strbuf_git_path(sb, "logs/%s", refname);

It reduces the mental workload a bit in the next patch when that
function call is converted.

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-27 10:23:39 -07:00
Nguyễn Thái Ngọc Duy
e9dcc3054f files-backend: convert git_path() to strbuf_git_path()
git_path() and friends are going to be killed in files-backend.c in near
future. And because there's a risk with overwriting buffer in
git_path(), let's convert them all to strbuf_git_path(). We'll have
easier time killing/converting strbuf_git_path() then because we won't
have to worry about memory management again.

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-27 10:23:39 -07:00
Nguyễn Thái Ngọc Duy
0a3f07d6c0 files-backend: make sure files_rename_ref() always reach the end
This is a no-op patch. It prepares the function so that we can release
resources (to be added later in this function) before we return.

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-27 10:23:39 -07:00
Nguyễn Thái Ngọc Duy
33dfb9f3f2 files-backend: add and use files_packed_refs_path()
Keep repo-related path handling in one place. This will make it easier
to add submodule/multiworktree support later.

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-27 10:23:39 -07:00
Nguyễn Thái Ngọc Duy
1eab194bf0 files-backend: delete dead code in files_init_db()
safe_create_dir() can do adjust_shared_perm() internally, and init-db
has always created 'refs' in shared mode since the beginning,
af6e277c5e (git-init-db: initialize shared repositories with --shared -
2005-12-22). So this code looks like extra adjust_shared_perm calls are
unnecessary.

And they are. But let's see why there are here in the first place.

This code was added in 6fb5acfd8f (refs: add methods to init refs db -
2016-09-04). From the diff alone this looks like a faithful refactored
code from init-db.c. But there is a subtle difference:

Between the safe_create_dir() block and adjust_shared_perm() block in
the old init-db.c, we may copy/recreate directories from the repo
template. So it makes sense that adjust_shared_perm() is re-executed
then to fix potential permission screwups.

After 6fb5acfd8f, refs dirs are created after template is copied. Nobody
will change directory permission again. So the extra adjust_shared_perm()
is redudant. Delete them.

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-27 10:23:39 -07:00
Nguyễn Thái Ngọc Duy
4f43731268 files-backend.c: delete dead code in files_ref_iterator_begin()
It's not in the diff context, but files_downcast() is called before this
check. If "refs" is NULL, we would have segfaulted before reaching the
check here. And we should never see NULL refs in backend code (frontend
should have caught it).

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-27 10:23:39 -07:00
Nguyễn Thái Ngọc Duy
11f8457fb9 files-backend: make files_log_ref_write() static
Created in 5f3c3a4e6f (files_log_ref_write: new function - 2015-11-10)
but probably never used outside refs-internal.c

Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-27 10:23:39 -07:00
Stefan Beller
5c896f7c3e submodule.c: stricter checking for submodules in is_submodule_modified
By having a stricter check in the superproject we catch errors earlier,
instead of spawning a child process to tell us.

Signed-off-by: Stefan Beller <sbeller@google.com>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-27 09:48:19 -07:00
Stefan Beller
fcecf0b968 submodule.c: port is_submodule_modified to use porcelain 2
Migrate 'is_submodule_modified' to the new porcelain format of
git-status. This conversion attempts to convert faithfully, i.e.
the behavior ought to be exactly the same.

As the output in the parsing only distinguishes between untracked files
and the rest, this is easy to port to the new format, as we only
need to identify untracked files and the rest is handled in the "else"
case.

untracked files are indicated by only a single question mark instead of
two question marks, so the conversion is easy.

Signed-off-by: Stefan Beller <sbeller@google.com>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-27 09:48:19 -07:00
Stefan Beller
af6865a7f1 submodule.c: convert is_submodule_modified to use strbuf_getwholeline
Instead of implementing line reading yet again, make use of our beautiful
library function to read one line.  By using strbuf_getwholeline instead
of strbuf_read, we avoid having to allocate memory for the entire child
process output at once.  That is, we limit maximum memory usage.
Also we can start processing the output as it comes in, no need to
wait for all of it.

Once we know all information that we care about, we can terminate
the child early. In that case we do not care about its exit code as well.
By just closing our side of the pipe the child process will get a SIGPIPE
signal, which it will not report nor do we report it in finish_command,
ac78663b0d (run-command: don't warn on SIGPIPE deaths, 2015-12-29).

Helped-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Stefan Beller <sbeller@google.com>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-27 09:48:19 -07:00
Stefan Beller
64f9a946f0 submodule.c: factor out early loop termination in is_submodule_modified
This makes it easier for a follow up patch.

Signed-off-by: Stefan Beller <sbeller@google.com>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-27 09:48:19 -07:00
Stefan Beller
d0d7fed1a2 submodule.c: use argv_array in is_submodule_modified
struct argv_array is easier to use and maintain.

Signed-off-by: Stefan Beller <sbeller@google.com>
Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-27 09:48:18 -07:00
brian m. carlson
14bb40b3f0 builtin/pull: convert portions to struct object_id
Convert the caller of sha1_array_append to struct object_id.

Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-26 22:08:21 -07:00
brian m. carlson
9c4b0f66aa builtin/diff: convert to struct object_id
Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-26 22:08:21 -07:00
brian m. carlson
cd02599c48 Convert GIT_SHA1_RAWSZ used for allocation to GIT_MAX_RAWSZ
Since we will likely be introducing a new hash function at some point,
and that hash function might be longer than 20 bytes, use the constant
GIT_MAX_RAWSZ, which is designed to be suitable for allocations, instead
of GIT_SHA1_RAWSZ.  This will ease the transition down the line by
distinguishing between places where we need to allocate memory suitable
for the largest hash from those where we need to handle the current
hash.

Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-26 22:08:21 -07:00
brian m. carlson
dc01505f7f Convert GIT_SHA1_HEXSZ used for allocation to GIT_MAX_HEXSZ
Since we will likely be introducing a new hash function at some point,
and that hash function might be longer than 40 hex characters, use the
constant GIT_MAX_HEXSZ, which is designed to be suitable for
allocations, instead of GIT_SHA1_HEXSZ.  This will ease the transition
down the line by distinguishing between places where we need to allocate
memory suitable for the largest hash from those where we need to handle
the current hash.

Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-26 22:08:21 -07:00
brian m. carlson
5028bf628c Define new hash-size constants for allocating memory
Since we will want to transition to a new hash at some point in the
future, and that hash may be larger in size than 160 bits, introduce two
constants that can be used for allocating a sufficient amount of memory.
They can be increased to reflect the largest supported hash size.

Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-26 22:08:21 -07:00
René Scharfe
a54e938e5b strbuf: support long paths w/o read rights in strbuf_getcwd() on FreeBSD
FreeBSD implements getcwd(3) as a syscall, but falls back to a version
based on readdir(3) if it fails for some reason.  The latter requires
permissions to read and execute path components, while the former does
not.  That means that if our buffer is too small and we're missing
rights we could get EACCES, but we may succeed with a bigger buffer.

Keep retrying if getcwd(3) indicates lack of permissions until our
buffer can fit PATH_MAX bytes, as that's the maximum supported by the
syscall on FreeBSD anyway.  This way we do what we can to be able to
benefit from the syscall, but we also won't loop forever if there is a
real permission issue.

This fixes a regression introduced with 7333ed17 (setup: convert
setup_git_directory_gently_1 et al. to strbuf, 2014-07-28) for paths
longer than 127 bytes with components that miss read or execute
permissions (e.g. 0711 on /home for privacy reasons); we used a fixed
PATH_MAX-sized buffer before.

Reported-by: Zenobiusz Kunegunda <zenobiusz.kunegunda@interia.pl>
Signed-off-by: Rene Scharfe <l.s.r@web.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-26 17:41:05 -07:00
Ævar Arnfjörð Bjarmason
48a96972fd doc/SubmittingPatches: show how to get a CLI commit summary
Amend the section which describes how to get a commit summary to show
how do to that with "git show", currently the documentation only shows
how to do that with gitk.

Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-26 15:59:08 -07:00
Ævar Arnfjörð Bjarmason
4473060bc2 t/README: clarify the test_have_prereq documentation
Clarify the test_have_prereq documentation so that it's clear in the
reader's mind when the text says "most common use of this directly"
what the answer to "as opposed to what?" is.

Usually this function isn't used in lieu of using the prerequisite
support built into test_expect_*, mention that explicitly.

This changes documentation that I added in commit
9a897893a7 ("t/README: Document the prereq functions, and 3-arg
test_*", 2010-07-02).

Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-26 15:58:25 -07:00
Junio C Hamano
7e71542e8b sha1dc: avoid CPP macro collisions
In an early part of sha1dc/sha1.c, the code checks the endianness of
the target platform by inspecting common CPP macros defined on
big-endian boxes, and sets BIGENDIAN macro to 1.  If these common
CPP macros are not defined, the code declares that the target
platform is little endian and does nothing (most notably, it does
not #undef its BIGENDIAN macro).

The code that does so even has this comment

    Note that all MSFT platforms are little endian,
    so none of these will be defined under the MSC compiler.

and later, the defined-ness of the BIGENDIAN macro is used to switch
the implementation of sha1_load() macro.

One thing the code did not anticipate is that somebody might define
BIGENDIAN macro in some header it includes to 0 on a little-endian
target platform.  Because the auto-detection based on common macros
do not touch BIGENDIAN macro when it detects a little-endian target,
such a definition is still valid and then defined-ness test will say
"Ah, BIGENDIAN is defined" and takes the wrong sha1_load().

As this auto-detection logic pretends as if it owns the BIGENDIAN
macro by ignoring the setting that may come from the outside and by
not explicitly unsetting when it decides that it is working for a
little-endian target, solve this problem without breaking that
assumption.  Namely, we can rename BIGENDIAN this code uses to
something much less generic, i.e. SHA1DC_BIGENDIAN.  For extra
protection, undef the macro on a little-endian target.

It is possible to work it around by instead #undef BIGENDIAN in
the auto-detection code, but a macro (or include) that happens later
in the code can be implemented in terms of BIGENDIAN on Windows and
it is possible that the implementation gets upset when it sees the
CPP macro undef'ed (instead of set to 0).  Renaming the private macro
intended to be used only in this file to a less generic name relieves
us from having to worry about that kind of breakage.

Noticed-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-26 15:34:44 -07:00
Junio C Hamano
034667a458 Git 2.12.2
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJY1XqcAAoJELC16IaWr+bL0/EQAMFyPd8Rzjpt+yWs/gSllSSB
 KuBKpBssfBVhqEjHz7o1y3NseOzQj6mbJR3WIrGpUOhlzDU/ARFYL//3EkHEbDzd
 Cw9BXfU5B/zfkP9zPI8ecmjmjFfRwrCGA+DOTXYAA5RZz0Done+VsZwQYsBShEd8
 7cQNFNoThic4ww3Lba+VM6rh+6D89PcG21pQQy+DgwEWWTYPQXmebIYAnCgpLGcv
 JLIPgefEBGwDlQ08rGZaiuKU3cqSSXIovNz7Oslntr6OlH3tox4lHtGVV3w/i2uY
 /488+yiKqO7MP85/0Qg8xmv1sVnGOk9UilS18OsJsHGd1uByjWq6abfbdGqEmYJR
 JhY5L3OBX8hlCsP3//JESqMWoXFZTzaCL2FQAh59FdNTk0BxvQFw3OVRz2CP6Y6y
 Ghn4ywU3HSgZDYzPjE7sHsn+xTUAm3BZcHZ0VWM0we3QRibTewVkBmAh8nukZxfb
 MutOGVRTHBoPKlQ+THz6eyBHV4N431Wko+Zq7bl4KttJk/WXl1nCzyLVi0TizsoO
 NfeI1dtrOnMiBMR+dAIWoNd9cyDMU6j1wzvnWoCZs8YUrtegB9cM6XbI+gJ5NK6v
 TVvYcqoZf4JFteYqVAXN7NtHApPcoPDOtV4vsB/qNoY2xiX7YZRGshuijlst6jOC
 WfuyDe+wnrMb4Q4LVknC
 =jgnW
 -----END PGP SIGNATURE-----

Sync with 2.12.2
2017-03-24 13:31:01 -07:00
Junio C Hamano
ea5b2dd28f Seventh batch for 2.13
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-24 13:30:34 -07:00
Junio C Hamano
48b3693d3c Merge branch 'jk/sha1dc'
The "detect attempt to create collisions" variant of SHA-1
implementation by Marc Stevens (CWI) and Dan Shumow (Microsoft)
has been integrated and made the default.

* jk/sha1dc:
  Makefile: make DC_SHA1 the default
  t0013: add a basic sha1 collision detection test
  Makefile: add DC_SHA1 knob
  sha1dc: disable safe_hash feature
  sha1dc: adjust header includes for git
  sha1dc: add collision-detecting sha1 implementation
2017-03-24 13:07:38 -07:00
Junio C Hamano
fa13fd174f Merge branch 'sg/test-with-stdin'
Teach the "debug" helper used in the test framework that allows a
command to run under "gdb" to make the session interactive.

* sg/test-with-stdin:
  tests: make the 'test_pause' helper work in non-verbose mode
  tests: create an interactive gdb session with the 'debug' helper
2017-03-24 13:07:38 -07:00
Junio C Hamano
8b47c5de96 Merge branch 'rs/update-hook-optim'
Code clean-up.

* rs/update-hook-optim:
  receive-pack: simplify run_update_post_hook()
2017-03-24 13:07:37 -07:00
Junio C Hamano
bedbeb1bb3 Merge branch 'rs/shortlog-cleanup'
Code clean-up.

* rs/shortlog-cleanup:
  shortlog: don't set after_subject to an empty string
2017-03-24 13:07:37 -07:00
Junio C Hamano
3bf7d37a7d Merge branch 'rs/path-name-safety-cleanup'
Code clean-up.

* rs/path-name-safety-cleanup:
  revision: remove declaration of path_name()
2017-03-24 13:07:36 -07:00
Junio C Hamano
bbde4a987d Merge branch 'rs/http-push-cleanup'
Code clean-up.

* rs/http-push-cleanup:
  http-push: don't check return value of lookup_unknown_object()
2017-03-24 13:07:35 -07:00
Junio C Hamano
0efeb5ca12 Merge branch 'js/regexec-buf'
Fix for potential segv introduced in v2.11.0 and later (also
v2.10.2).

* js/regexec-buf:
  pickaxe: fix segfault with '-S<...> --pickaxe-regex'
2017-03-24 13:07:35 -07:00
Junio C Hamano
6756b58ebc Merge branch 'jk/execv-dashed-external'
Fix for NO_PTHREADS build.

* jk/execv-dashed-external:
  run-command: fix segfault when cleaning forked async process
2017-03-24 13:07:34 -07:00
Junio C Hamano
78cf8efec3 Merge branch 'dl/credential-cache-socket-in-xdg-cache'
The default location "~/.git-credential-cache/socket" for the
socket used to communicate with the credential-cache daemon has
been moved to "~/.cache/git/credential/socket".

* dl/credential-cache-socket-in-xdg-cache:
  credential-cache: add tests for XDG functionality
  credential-cache: use XDG_CACHE_HOME for socket
  path.c: add xdg_cache_home
2017-03-24 13:07:34 -07:00
Junio C Hamano
8f9aeb0d36 Git 2.12.2
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-24 12:59:15 -07:00
Junio C Hamano
75d4476f52 Merge branch 'ab/doc-no-option-notation-fix' into maint
Doc fix.

* ab/doc-no-option-notation-fix:
  doc: change erroneous --[no]-whatever into --[no-]whatever
2017-03-24 12:57:55 -07:00
Junio C Hamano
ce9e6178d3 Merge branch 'ab/push-default-doc-fix' into maint
Doc fix.

* ab/push-default-doc-fix:
  push: mention "push.default=tracking" in the documentation
2017-03-24 12:57:54 -07:00
Junio C Hamano
7bd881f7ca Merge branch 'nd/commit-hook-doc-fix' into maint
Doc fix.

* nd/commit-hook-doc-fix:
  git-commit.txt: list post-rewrite in HOOKS section
2017-03-24 12:57:54 -07:00
Junio C Hamano
eb4e87cef9 Merge branch 'jc/config-case-cmdline-take-2' into maint
The code to parse "git -c VAR=VAL cmd" and set configuration
variable for the duration of cmd had two small bugs, which have
been fixed.
This supersedes jc/config-case-cmdline topic that has been discarded.

* jc/config-case-cmdline-take-2:
  config: use git_config_parse_key() in git_config_parse_parameter()
  config: move a few helper functions up
2017-03-24 12:57:54 -07:00
Junio C Hamano
ea7aa5a464 Merge branch 'jk/grep-no-index-fix' into maint
The code to parse the command line "git grep <patterns>... <rev>
[[--] <pathspec>...]" has been cleaned up, and a handful of bugs
have been fixed (e.g. we used to check "--" if it is a rev).

* jk/grep-no-index-fix:
  grep: treat revs the same for --untracked as for --no-index
  grep: do not diagnose misspelt revs with --no-index
  grep: avoid resolving revision names in --no-index case
  grep: fix "--" rev/pathspec disambiguation
  grep: re-order rev-parsing loop
  grep: do not unnecessarily query repo for "--"
  grep: move thread initialization a little lower
2017-03-24 12:57:53 -07:00
Junio C Hamano
411a179412 Merge branch 'jn/remote-helpers-with-git-dir' into maint
"git ls-remote" and "git archive --remote" are designed to work
without being in a directory under Git's control.  However, recent
updates revealed that we randomly look into a directory called
.git/ without actually doing necessary set-up when working in a
repository.  Stop doing so.

* jn/remote-helpers-with-git-dir:
  remote helpers: avoid blind fall-back to ".git" when setting GIT_DIR
  remote: avoid reading $GIT_DIR config in non-repo
2017-03-24 12:57:53 -07:00
Junio C Hamano
f3d5bbb283 Merge branch 'sb/submodule-config-parse-ignore-fix' into maint
Code to read submodule.<name>.ignore config did not state the
variable name correctly when giving an error message diagnosing
misconfiguration.

* sb/submodule-config-parse-ignore-fix:
  submodule-config: correct error reporting for invalid ignore value
2017-03-24 12:57:52 -07:00
Junio C Hamano
f4d3af1859 Merge branch 'jk/push-deadlock-regression-fix' into maint
"git push" had a handful of codepaths that could lead to a deadlock
when unexpected error happened, which has been fixed.

* jk/push-deadlock-regression-fix:
  send-pack: report signal death of pack-objects
  send-pack: read "unpack" status even on pack-objects failure
  send-pack: improve unpack-status error messages
  send-pack: use skip_prefix for parsing unpack status
  send-pack: extract parsing of "unpack" response
  receive-pack: fix deadlock when we cannot create tmpdir
2017-03-24 12:57:52 -07:00
Jeff King
2c5e2865cc pack.h: define largest possible encoded object size
Several callers use fixed buffers for storing the pack
object header, and they've picked 10 as a magic number. This
is reasonable, since it handles objects up to 2^67. But
let's give them a constant so it's clear that the number
isn't pulled out of thin air.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-24 12:34:07 -07:00
Jeff King
7202a6fa87 encode_in_pack_object_header: respect output buffer length
The encode_in_pack_object_header() writes a variable-length
header to an output buffer, but it doesn't actually know
long the buffer is. At first glance, this looks like it
might be possible to overflow.

In practice, this is probably impossible. The smallest
buffer we use is 10 bytes, which would hold the header for
an object up to 2^67 bytes. Obviously we're not likely to
see such an object, but we might worry that an object could
lie about its size (causing us to overflow before we realize
it does not actually have that many bytes). But the argument
is passed as a uintmax_t. Even on systems that have __int128
available, uintmax_t is typically restricted to 64-bit by
the ABI.

So it's unlikely that a system exists where this could be
exploited. Still, it's easy enough to use a normal out/len
pair and make sure we don't write too far. That protects the
hypothetical 128-bit system, makes it harder for callers to
accidentally specify a too-small buffer, and makes the
resulting code easier to audit.

Note that the one caller in fast-import tried to catch such
a case, but did so _after_ the call (at which point we'd
have already overflowed!). This check can now go away.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-24 12:34:07 -07:00
Jeff King
98718242cf fast-import: use xsnprintf for formatting headers
The stream_blob() function checks the return value of
snprintf and dies. This is more simply done with
xsnprintf (and matches the similar call in store_object).

The message the user would get is less specific, but since
the point is that this _shouldn't_ ever happen, that's OK.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-24 12:34:07 -07:00
Jeff King
614b19542f fast-import: use xsnprintf for writing sha1s
When we have to write a sha1 with a newline, we do so by
copying both into a single buffer, so that we can issue a
single write() call.

We use snprintf but don't bother to check the output, since
we know it will fit. However, we should use xsnprintf() in
such a case so that we're notified if our assumption turns
out to be wrong (and to make it easier to audit for
unchecked snprintf calls).

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2017-03-24 12:34:07 -07:00