Git development
 help / color / mirror / Atom feed
From: Johannes Schindelin <Johannes.Schindelin@gmx.de>
To: Patrick Steinhardt <ps@pks.im>
Cc: Johannes Schindelin via GitGitGadget <gitgitgadget@gmail.com>,
	 git@vger.kernel.org
Subject: Re: [PATCH 07/13] dir: free allocations on parse-error paths in read_one_dir()
Date: Sat, 4 Jul 2026 10:58:56 +0200 (CEST)	[thread overview]
Message-ID: <0278c01a-5a7d-e6a4-bee3-4df6df7e5276@gmx.de> (raw)
In-Reply-To: <akTIOeXFhNjJ7V3i@pks.im>

Hi Patrick,

On Wed, 1 Jul 2026, Patrick Steinhardt wrote:

> On Wed, Jul 01, 2026 at 07:04:25AM +0000, Johannes Schindelin via GitGitGadget wrote:
> > diff --git a/dir.c b/dir.c
> > index 32430090dc..23335b9f7a 100644
> > --- a/dir.c
> > +++ b/dir.c
> > @@ -3792,13 +3792,18 @@ static int read_one_dir(struct untracked_cache_dir **untracked_,
> >  		ALLOC_ARRAY(ud.untracked, ud.untracked_nr);
> >  
> >  	ud.dirs_alloc = ud.dirs_nr = decode_varint(&data);
> > -	if (data > end)
> > +	if (data > end) {
> > +		free(ud.untracked);
> >  		return -1;
> > +	}
> >  	ALLOC_ARRAY(ud.dirs, ud.dirs_nr);
> >  
> >  	eos = memchr(data, '\0', end - data);
> > -	if (!eos || eos == end)
> > +	if (!eos || eos == end) {
> > +		free(ud.untracked);
> > +		free(ud.dirs);
> >  		return -1;
> > +	}
> >  
> >  	*untracked_ = untracked = xmalloc(st_add3(sizeof(*untracked), eos - data, 1));
> >  	memcpy(untracked, &ud, sizeof(ud));
> 
> Hm. Here we assign ownership to the caller, but this still feels quite
> off to me as we also have two more early returns after this point that
> seem to leak memory. Do the callers make sure to always free the data?

Ownership transfers to the caller on the `xmalloc`/`memcpy` line: the
`memcpy` copies the `ud.untracked` and `ud.dirs` pointers into the freshly
xmalloc'd struct that becomes `*untracked_`. From there, any subsequent
failure in the caller reaches `free_untracked_cache()` and then
`free_untracked()`, which releases both arrays. So the two further early
returns are correct as-are.

I will fold that reasoning into the v2 commit message so a future
reader does not have to re-derive it.

Incidentally, and orthogonal to Coverity's leak report: on those same
failure paths, individual slots of `->dirs` and `->untracked` remain
uninitialised, so `free_untracked()` walks garbage pointers before it
ever reaches the two `free()` calls above. That is a separate
crash-on-cleanup bug and I would prefer to address it in a follow-up
rather than widen the scope of this series.

Ciao,
Johannes

  reply	other threads:[~2026-07-04  8:58 UTC|newest]

Thread overview: 40+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01  7:04 [PATCH 00/13] coverity: fix leaks and error paths Johannes Schindelin via GitGitGadget
2026-07-01  7:04 ` [PATCH 01/13] load_one_loose_object_map(): fix resource leak Johannes Schindelin via GitGitGadget
2026-07-01  7:56   ` Patrick Steinhardt
2026-07-01 16:25   ` Junio C Hamano
2026-07-04  8:58     ` Johannes Schindelin
2026-07-01  7:04 ` [PATCH 02/13] loose: avoid closing invalid fd on error path Johannes Schindelin via GitGitGadget
2026-07-01  7:56   ` Patrick Steinhardt
2026-07-01  7:04 ` [PATCH 03/13] download_https_uri_to_file(): do not leak fd upon failure Johannes Schindelin via GitGitGadget
2026-07-01  7:04 ` [PATCH 04/13] run-command: avoid close(-1) in start_command() error paths Johannes Schindelin via GitGitGadget
2026-07-01  7:56   ` Patrick Steinhardt
2026-07-01  7:04 ` [PATCH 05/13] run_diff_files: avoid memory leak Johannes Schindelin via GitGitGadget
2026-07-01  7:56   ` Patrick Steinhardt
2026-07-04  8:58     ` Johannes Schindelin
2026-07-01  7:04 ` [PATCH 06/13] line-log: avoid redundant copy that leaks in process_ranges Johannes Schindelin via GitGitGadget
2026-07-01  8:02   ` Jeff King
2026-07-01  7:04 ` [PATCH 07/13] dir: free allocations on parse-error paths in read_one_dir() Johannes Schindelin via GitGitGadget
2026-07-01  7:56   ` Patrick Steinhardt
2026-07-04  8:58     ` Johannes Schindelin [this message]
2026-07-01  7:04 ` [PATCH 08/13] submodule: fix cwd leak in get_superproject_working_tree() Johannes Schindelin via GitGitGadget
2026-07-01  7:56   ` Patrick Steinhardt
2026-07-04  8:59     ` Johannes Schindelin
2026-07-01  7:04 ` [PATCH 09/13] worktree: fix resource leaks when branch creation fails Johannes Schindelin via GitGitGadget
2026-07-01  7:04 ` [PATCH 10/13] imap-send: avoid leaking the IMAP upload buffer Johannes Schindelin via GitGitGadget
2026-07-01  7:04 ` [PATCH 11/13] reftable/table: release filter on error path Johannes Schindelin via GitGitGadget
2026-07-01  7:04 ` [PATCH 12/13] fsmonitor: plug token-data leak on early daemon-startup failures Johannes Schindelin via GitGitGadget
2026-07-01  7:04 ` [PATCH 13/13] mingw: make exit_process() own the process handle on all paths Johannes Schindelin via GitGitGadget
2026-07-01 17:34 ` [PATCH 00/13] coverity: fix leaks and error paths Junio C Hamano
2026-07-05  8:24 ` [PATCH v2 00/12] " Johannes Schindelin via GitGitGadget
2026-07-05  8:24   ` [PATCH v2 01/12] load_one_loose_object_map(): fix resource leak Johannes Schindelin via GitGitGadget
2026-07-05  8:24   ` [PATCH v2 02/12] loose: avoid closing invalid fd on error path Johannes Schindelin via GitGitGadget
2026-07-05  8:24   ` [PATCH v2 03/12] download_https_uri_to_file(): do not leak fd upon failure Johannes Schindelin via GitGitGadget
2026-07-05  8:24   ` [PATCH v2 04/12] run-command: avoid `close(-1)` in `start_command()` error paths Johannes Schindelin via GitGitGadget
2026-07-05  8:24   ` [PATCH v2 05/12] line-log: avoid redundant copy that leaks in process_ranges Johannes Schindelin via GitGitGadget
2026-07-05  8:24   ` [PATCH v2 06/12] dir: free allocations on parse-error paths in `read_one_dir()` Johannes Schindelin via GitGitGadget
2026-07-05  8:24   ` [PATCH v2 07/12] submodule: fix cwd leak in `get_superproject_working_tree()` Johannes Schindelin via GitGitGadget
2026-07-05  8:24   ` [PATCH v2 08/12] worktree: fix resource leaks when branch creation fails Johannes Schindelin via GitGitGadget
2026-07-05  8:24   ` [PATCH v2 09/12] imap-send: avoid leaking the IMAP upload buffer Johannes Schindelin via GitGitGadget
2026-07-05  8:24   ` [PATCH v2 10/12] reftable/table: release filter on error path Johannes Schindelin via GitGitGadget
2026-07-05  8:24   ` [PATCH v2 11/12] fsmonitor: plug token-data leak on early daemon-startup failures Johannes Schindelin via GitGitGadget
2026-07-05  8:24   ` [PATCH v2 12/12] mingw: make `exit_process()` own the process handle on all paths Johannes Schindelin via GitGitGadget

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0278c01a-5a7d-e6a4-bee3-4df6df7e5276@gmx.de \
    --to=johannes.schindelin@gmx.de \
    --cc=git@vger.kernel.org \
    --cc=gitgitgadget@gmail.com \
    --cc=ps@pks.im \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox