Re: [PATCH] parse_commit_buffer: don't parse invalid commits

[Junio C Hamano <gitster@pobox.com>]

Martin Koegler <mkoegler@auto.tuwien.ac.at> writes:

> Signed-off-by: Martin Koegler <mkoegler@auto.tuwien.ac.at>
> ---
>  commit.c |   28 +++++++++++++++++++++-------
>  1 files changed, 21 insertions(+), 7 deletions(-)
>
> diff --git a/commit.c b/commit.c
> index f074811..ffa0894 100644
> --- a/commit.c
> +++ b/commit.c
> @@ -48,19 +48,33 @@ struct commit *lookup_commit(const unsigned char *sha1)
>  	return check_commit(obj, sha1, 0);
>  }
>  
> -static unsigned long parse_commit_date(const char *buf)
> +static unsigned long parse_commit_date(const char *buf, const char* tail)

Should be "const char *tail" in our codebase.

>  {
>  	unsigned long date;
> +	char datebuf[20];
> +	unsigned long len;
>  
> +	if (buf + 6 >= tail)
> +		return 0;
>  	if (memcmp(buf, "author", 6))
>  		return 0;

Even though buf, which is a result from read_sha1_file(), is
always terminated with an extra NUL (outside its object size),
if a bogus commit object ends with "author" (and without the
author information) this part will pass, and ...

> -	while (*buf++ != '\n')
> +	while (buf < tail && *buf++ != '\n')
>  		/* nada */;
> +	if (buf + 9 >= tail)
> +		return 0;

... you catch that here.  That seems like a good change.

>  	if (memcmp(buf, "committer", 9))
>  		return 0;
> -	while (*buf++ != '>')
> +	while (buf < tail && *buf++ != '>')
>  		/* nada */;
> -	date = strtoul(buf, NULL, 10);
> +	if (buf >= tail)
> +		return 0;

Likewise here.

> +	len = tail - buf;
> +	if (len > sizeof(datebuf) - 1)
> +	  len = sizeof(datebuf) - 1;

Broken indentation.

> +	memcpy(datebuf, buf, len);
> +	datebuf[len] = 0;
> +	date = strtoul(datebuf, NULL, 10);

However, as long as buf at this point hasn't go beyond tail,
which you already checked, I think we can rely on strtoul()
stopping at the NUL at the end of buffer (that is one beyond
tail), without this extra memcpy().  Am I mistaken?

> @@ -236,9 +250,9 @@ int parse_commit_buffer(struct commit *item, void *buffer, unsigned long size)
>  		return 0;
>  	item->object.parsed = 1;
>  	tail += size;
> -	if (tail <= bufptr + 5 || memcmp(bufptr, "tree ", 5))
> +	if (tail <= bufptr + 46 || memcmp(bufptr, "tree ", 5) || bufptr[45] != '\n')
>  		return error("bogus commit object %s", sha1_to_hex(item->object.sha1));
> -	if (tail <= bufptr + 45 || get_sha1_hex(bufptr + 5, parent) < 0)
> +	if (get_sha1_hex(bufptr + 5, parent) < 0)
>  		return error("bad tree pointer in commit %s",
>  			     sha1_to_hex(item->object.sha1));
>  	item->tree = lookup_tree(parent);

This hunk is logically a no-op but I like your version better.
It also makes sure tree object name is terminated with a LF.

> @@ -275,7 +289,7 @@ int parse_commit_buffer(struct commit *item, void *buffer, unsigned long size)
>  			n_refs++;
>  		}
>  	}
> -	item->date = parse_commit_date(bufptr);
> +	item->date = parse_commit_date(bufptr, tail);
>  
>  	if (track_object_refs) {
>  		unsigned i = 0;
> -- 
> 1.4.4.4

When already somewhat deep in the rc cycle, looking at a patch
from somebody who uses 1.4.4.4 makes me look at the patch a bit
more carefully than usual ;-)