* [PATCH] Don't segfault if we failed to inflate a packed delta
@ 2007-08-25 7:26 Shawn O. Pearce
2007-08-25 8:30 ` [PATCH 1/2] blame: check return value from read_sha1_file() Junio C Hamano
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Shawn O. Pearce @ 2007-08-25 7:26 UTC (permalink / raw)
To: Junio C Hamano; +Cc: git
Under some types of packfile corruption the zlib stream holding the
data for a delta within a packfile may fail to inflate, due to say
a CRC failure within the compressed data itself. When this occurs
the unpack_compressed_entry function will return NULL as a signal to
the caller that the data is not available. Unfortunately we then
tried to use that NULL as though it referenced a memory location
where a delta was stored and tried to apply it to the delta base.
Loading a byte from the NULL address typically causes a SIGSEGV.
cate on #git noticed this failure in `git fsck --full` where the
call to verify_pack() first noticed that the packfile was corrupt
by finding that the packfile's SHA-1 did not match the raw data of
the file. After finding this fsck went ahead and tried to verify
every object within the packfile, even though the packfile was
already known to be bad. If we are going to shovel bad data at
the delta unpacking code, we better handle it correctly.
Signed-off-by: Shawn O. Pearce <spearce@spearce.org>
---
sha1_file.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/sha1_file.c b/sha1_file.c
index b219d4d..9978a58 100644
--- a/sha1_file.c
+++ b/sha1_file.c
@@ -1570,6 +1570,10 @@ static void *unpack_delta_entry(struct packed_git *p,
(uintmax_t)base_offset, p->pack_name);
delta_data = unpack_compressed_entry(p, w_curs, curpos, delta_size);
+ if (!delta_data)
+ die("failed to unpack compressed delta"
+ " at %"PRIuMAX" from %s",
+ (uintmax_t)curpos, p->pack_name);
result = patch_delta(base, base_size,
delta_data, delta_size,
sizep);
--
1.5.3.rc6.17.g1911
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 1/2] blame: check return value from read_sha1_file()
2007-08-25 7:26 [PATCH] Don't segfault if we failed to inflate a packed delta Shawn O. Pearce
@ 2007-08-25 8:30 ` Junio C Hamano
2007-08-25 8:30 ` [PATCH 2/2] pack-objects: " Junio C Hamano
2007-08-25 15:19 ` [PATCH] Don't segfault if we failed to inflate a packed delta Linus Torvalds
2 siblings, 0 replies; 5+ messages in thread
From: Junio C Hamano @ 2007-08-25 8:30 UTC (permalink / raw)
To: git; +Cc: Shawn O. Pearce
(Trivial #1).
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
builtin-blame.c | 11 +++++++++++
1 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/builtin-blame.c b/builtin-blame.c
index 0519339..dc88a95 100644
--- a/builtin-blame.c
+++ b/builtin-blame.c
@@ -98,6 +98,10 @@ static char *fill_origin_blob(struct origin *o, mmfile_t *file)
num_read_blob++;
file->ptr = read_sha1_file(o->blob_sha1, &type,
(unsigned long *)(&(file->size)));
+ if (!file->ptr)
+ die("Cannot read blob %s for path %s",
+ sha1_to_hex(o->blob_sha1),
+ o->path);
o->file = *file;
}
else
@@ -1384,6 +1388,9 @@ static void get_commit_info(struct commit *commit,
unsigned long size;
commit->buffer =
read_sha1_file(commit->object.sha1, &type, &size);
+ if (!commit->buffer)
+ die("Cannot read commit %s",
+ sha1_to_hex(commit->object.sha1));
}
ret->author = author_buf;
get_ac_line(commit->buffer, "\nauthor ",
@@ -2382,6 +2389,10 @@ int cmd_blame(int argc, const char **argv, const char *prefix)
sb.final_buf = read_sha1_file(o->blob_sha1, &type,
&sb.final_buf_size);
+ if (!sb.final_buf)
+ die("Cannot read blob %s for path %s",
+ sha1_to_hex(o->blob_sha1),
+ path);
}
num_read_blob++;
lno = prepare_lines(&sb);
--
1.5.3.rc6.23.g0058
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/2] pack-objects: check return value from read_sha1_file()
2007-08-25 7:26 [PATCH] Don't segfault if we failed to inflate a packed delta Shawn O. Pearce
2007-08-25 8:30 ` [PATCH 1/2] blame: check return value from read_sha1_file() Junio C Hamano
@ 2007-08-25 8:30 ` Junio C Hamano
2007-08-25 15:19 ` [PATCH] Don't segfault if we failed to inflate a packed delta Linus Torvalds
2 siblings, 0 replies; 5+ messages in thread
From: Junio C Hamano @ 2007-08-25 8:30 UTC (permalink / raw)
To: git; +Cc: Shawn O. Pearce
(Trivial #2).
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
builtin-pack-objects.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/builtin-pack-objects.c b/builtin-pack-objects.c
index 77481df..9b3ef94 100644
--- a/builtin-pack-objects.c
+++ b/builtin-pack-objects.c
@@ -1356,6 +1356,9 @@ static int try_delta(struct unpacked *trg, struct unpacked *src,
/* Load data if not already done */
if (!trg->data) {
trg->data = read_sha1_file(trg_entry->idx.sha1, &type, &sz);
+ if (!trg->data)
+ die("object %s cannot be read",
+ sha1_to_hex(trg_entry->idx.sha1));
if (sz != trg_size)
die("object %s inconsistent object length (%lu vs %lu)",
sha1_to_hex(trg_entry->idx.sha1), sz, trg_size);
@@ -1363,6 +1366,9 @@ static int try_delta(struct unpacked *trg, struct unpacked *src,
}
if (!src->data) {
src->data = read_sha1_file(src_entry->idx.sha1, &type, &sz);
+ if (!src->data)
+ die("object %s cannot be read",
+ sha1_to_hex(src_entry->idx.sha1));
if (sz != src_size)
die("object %s inconsistent object length (%lu vs %lu)",
sha1_to_hex(src_entry->idx.sha1), sz, src_size);
--
1.5.3.rc6.23.g0058
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] Don't segfault if we failed to inflate a packed delta
2007-08-25 7:26 [PATCH] Don't segfault if we failed to inflate a packed delta Shawn O. Pearce
2007-08-25 8:30 ` [PATCH 1/2] blame: check return value from read_sha1_file() Junio C Hamano
2007-08-25 8:30 ` [PATCH 2/2] pack-objects: " Junio C Hamano
@ 2007-08-25 15:19 ` Linus Torvalds
2007-08-25 17:56 ` Junio C Hamano
2 siblings, 1 reply; 5+ messages in thread
From: Linus Torvalds @ 2007-08-25 15:19 UTC (permalink / raw)
To: Shawn O. Pearce; +Cc: Junio C Hamano, git
On Sat, 25 Aug 2007, Shawn O. Pearce wrote:
>
> cate on #git noticed this failure in `git fsck --full` where the
> call to verify_pack() first noticed that the packfile was corrupt
> by finding that the packfile's SHA-1 did not match the raw data of
> the file. After finding this fsck went ahead and tried to verify
> every object within the packfile, even though the packfile was
> already known to be bad. If we are going to shovel bad data at
> the delta unpacking code, we better handle it correctly.
Hmm. We should actually make "unpack_entry()" return print an error and
return NULL for these cases, rather than die, I think.
Most of the callers seem to already check for NULL (not "load_tree()" in
fast-import.c), but for something like fsck, while "die()" is obviously
better than a SIGSEGV, we should probably continue and try to see what
else we find.
(Although, to be honest, it might not matter. If your pack-file is corrupt
enough for this to trigger, there's seldom anything interesting fsck will
tell, so in practical terms this probably isn't a big deal).
Linus
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Don't segfault if we failed to inflate a packed delta
2007-08-25 15:19 ` [PATCH] Don't segfault if we failed to inflate a packed delta Linus Torvalds
@ 2007-08-25 17:56 ` Junio C Hamano
0 siblings, 0 replies; 5+ messages in thread
From: Junio C Hamano @ 2007-08-25 17:56 UTC (permalink / raw)
To: Linus Torvalds; +Cc: Shawn O. Pearce, git
Linus Torvalds <torvalds@linux-foundation.org> writes:
> Hmm. We should actually make "unpack_entry()" return print an error and
> return NULL for these cases, rather than die, I think.
>
> Most of the callers seem to already check for NULL (not "load_tree()" in
> fast-import.c), but for something like fsck, while "die()" is obviously
> better than a SIGSEGV, we should probably continue and try to see what
> else we find.
>
> (Although, to be honest, it might not matter. If your pack-file is corrupt
> enough for this to trigger, there's seldom anything interesting fsck will
> tell, so in practical terms this probably isn't a big deal).
But if the delta does not apply we already die(). Last night I
and Shawn actually were wondering if it makes sense to have
unpack_entry() die -- quite the opposite of being nicer to fsck.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2007-08-25 17:56 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-08-25 7:26 [PATCH] Don't segfault if we failed to inflate a packed delta Shawn O. Pearce
2007-08-25 8:30 ` [PATCH 1/2] blame: check return value from read_sha1_file() Junio C Hamano
2007-08-25 8:30 ` [PATCH 2/2] pack-objects: " Junio C Hamano
2007-08-25 15:19 ` [PATCH] Don't segfault if we failed to inflate a packed delta Linus Torvalds
2007-08-25 17:56 ` Junio C Hamano
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).