From: Phillip Wood <phillip.wood123@gmail.com>
To: Cheng <prophecheng@stu.pku.edu.cn>, git@vger.kernel.org
Subject: Re: Potential Null Pointer Dereference detected by static analysis tool
Date: Wed, 13 Aug 2025 14:19:14 +0100 [thread overview]
Message-ID: <5303c45e-d95b-4bc8-9cd1-bf4efe6bfbae@gmail.com> (raw)
In-Reply-To: <AAkArwD3JXZP4EIjvKF0Waow.1.1755044612233.Hmail.2201111603@stu.pku.edu.cn>
Hi Cheng
On 13/08/2025 01:23, Cheng wrote:
>
>
> line 326 in builtin/describe.cdescribe.c, which is located in the function describe_commit. In the following code, cmit could be NULL passed to the call, which then causes a NULL dereference. Seems should be replaced lookup_commit_reference with lookup_commit_or_die.
>
>
> ```cpp
> cmit = lookup_commit_reference(the_repository, oid);
> n = find_commit_name(&cmit->object.oid);
> ```
>
>
>
> The NULL value seems to come from function lookup_commit_reference_gently where:
>
> - 1. call to deref_tag may return NULL.
>
> - 2. call to object_as_type may return NULL.
>
>
> In this repository, other calls lookup_commit_reference are followed by a null check. So this seems to lead to NULL dereference. Can I confirm with you whether this is a true positive bug report?
I had a quick look at the callers of describe_commit() and they all seem
to use an oid that they get from looking up a commit so I'm not sure
under what circumstances this call to lookup_commit_reference() can fail.
Thanks
Phillip
next prev parent reply other threads:[~2025-08-13 13:19 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-13 0:23 Potential Null Pointer Dereference detected by static analysis tool Cheng
2025-08-13 13:19 ` Phillip Wood [this message]
2025-08-14 23:26 ` Jeff King
2025-08-15 15:49 ` Phillip Wood
2025-08-17 9:27 ` René Scharfe
2025-08-18 4:48 ` Jeff King
2025-08-18 5:05 ` Jeff King
2025-08-18 19:56 ` René Scharfe
2025-08-18 20:21 ` Jeff King
2025-08-18 20:56 ` Jeff King
2025-08-18 20:58 ` [PATCH 0/5] fix segfault and other oddities describing blobs Jeff King
2025-08-18 20:59 ` [PATCH 1/5] describe: pass oid struct by const pointer Jeff King
2025-08-18 21:05 ` Junio C Hamano
2025-08-18 21:01 ` [PATCH 2/5] describe: error if blob not found Jeff King
2025-08-18 21:12 ` Junio C Hamano
2025-08-19 8:05 ` Patrick Steinhardt
2025-08-19 18:32 ` René Scharfe
2025-08-18 21:01 ` [PATCH 3/5] describe: catch unborn branch in describe_blob() Jeff King
2025-08-18 21:19 ` Junio C Hamano
2025-08-18 23:07 ` Jeff King
2025-08-18 21:03 ` [PATCH 4/5] describe: handle blob traversal with no commits Jeff King
2025-08-19 8:05 ` Patrick Steinhardt
2025-08-19 16:59 ` Jeff King
2025-08-20 4:34 ` Patrick Steinhardt
2025-08-20 6:30 ` [replacement PATCH " Jeff King
2025-08-18 21:04 ` [PATCH 5/5] describe: pass commit to describe_commit() Jeff King
2025-08-19 8:05 ` Patrick Steinhardt
2025-08-19 17:02 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5303c45e-d95b-4bc8-9cd1-bf4efe6bfbae@gmail.com \
--to=phillip.wood123@gmail.com \
--cc=git@vger.kernel.org \
--cc=phillip.wood@dunelm.org.uk \
--cc=prophecheng@stu.pku.edu.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).