From: "René Scharfe" <rene.scharfe@lsrfire.ath.cx>
To: Jiri Slaby <jirislaby@gmail.com>
Cc: git@vger.kernel.org
Subject: Re: potential null dereference
Date: Thu, 17 Dec 2009 13:30:55 +0100 [thread overview]
Message-ID: <4B2A247F.4070705@lsrfire.ath.cx> (raw)
In-Reply-To: <4B2783DD.5060301@gmail.com>
Am 15.12.2009 13:41, schrieb Jiri Slaby:
> Hi,
>
> Stanse found the following error in unpack-trees.c:
> dereferencing NULL pointer here.[. * o src_index]
>
> int unpack_trees(unsigned len, struct tree_desc *t, struct
> unpack_trees_options *o)
> {
> int ret;
> static struct cache_entry *dfc;
> ...
> if (o->src_index) { <-- loc0
> o->result.timestamp.sec = o->src_index->timestamp.sec;
> o->result.timestamp.nsec = o->src_index->timestamp.nsec;
> }
> o->merge_size = len;
>
> if (!dfc)
> dfc = xcalloc(1, ((1 + (0) + 8) & ~7));
> o->df_conflict_entry = dfc;
>
> if (len) {
> ...
> }
>
> if (o->merge) {
> while (o->pos < o->src_index->cache_nr) { <-- here
>
> It triggers, because there is a test for o->src_index being NULL at
> loc0, but here, it is dereferenced without a check. Can this happen
> (e.g. does o->merge != NULL imply o->src_index != NULL)?
Running "git grep -w -B70 unpack_trees" and looking for "src_index"
using less' search command showed me that src_index is never NULL when
unpack_trees() is called.
> Further, there is a warning in log-tree.c:
> pointer always points to valid memory here, but checking for not
> NULL.[parents]
>
> static int log_tree_diff(struct rev_info *opt, struct commit *commit,
> struct log_info *log)
> {
> int showed_log;
> struct commit_list *parents;
> unsigned const char *sha1 = commit->object.sha1;
>
> if (!opt->diff && !((&opt->diffopt)->flags & (1 << 14)))
> return 0;
>
>
> parents = commit->parents;
> if (!parents) { <-- loc0
> if (opt->show_root_diff) {
> diff_root_tree_sha1(sha1, "", &opt->diffopt);
> log_tree_diff_flush(opt);
> }
> return !opt->loginfo; <-- loc1
> }
>
> if (parents && parents->next) { <-- here
>
> I.e. if parents was NULL at loc0, we escaped at loc1. But we check
> parents against NULL here again.
The check may be duplicate, but I suspect removing it won't change the
resulting object code -- the compiler should be smart enough to come to
the same conclusion.
Thanks,
René
prev parent reply other threads:[~2009-12-17 12:31 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-15 12:41 potential null dereference Jiri Slaby
2009-12-17 12:30 ` René Scharfe [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B2A247F.4070705@lsrfire.ath.cx \
--to=rene.scharfe@lsrfire.ath.cx \
--cc=git@vger.kernel.org \
--cc=jirislaby@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox