[PATCH] Don't segfault if we failed to inflate a packed delta

[PATCH] Don't segfault if we failed to inflate a packed delta

[Shawn O. Pearce]

Under some types of packfile corruption the zlib stream holding the
data for a delta within a packfile may fail to inflate, due to say
a CRC failure within the compressed data itself.  When this occurs
the unpack_compressed_entry function will return NULL as a signal to
the caller that the data is not available.  Unfortunately we then
tried to use that NULL as though it referenced a memory location
where a delta was stored and tried to apply it to the delta base.
Loading a byte from the NULL address typically causes a SIGSEGV.

cate on #git noticed this failure in `git fsck --full` where the
call to verify_pack() first noticed that the packfile was corrupt
by finding that the packfile's SHA-1 did not match the raw data of
the file.  After finding this fsck went ahead and tried to verify
every object within the packfile, even though the packfile was
already known to be bad.  If we are going to shovel bad data at
the delta unpacking code, we better handle it correctly.

Signed-off-by: Shawn O. Pearce <spearce@spearce.org>
---
 sha1_file.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/sha1_file.c b/sha1_file.c
index b219d4d..9978a58 100644
--- a/sha1_file.c
+++ b/sha1_file.c
@@ -1570,6 +1570,10 @@ static void *unpack_delta_entry(struct packed_git *p,
 		    (uintmax_t)base_offset, p->pack_name);
 
 	delta_data = unpack_compressed_entry(p, w_curs, curpos, delta_size);
+	if (!delta_data)
+		die("failed to unpack compressed delta"
+		    " at %"PRIuMAX" from %s",
+		    (uintmax_t)curpos, p->pack_name);
 	result = patch_delta(base, base_size,
 			     delta_data, delta_size,
 			     sizep);
-- 
1.5.3.rc6.17.g1911

[PATCH 1/2] blame: check return value from read_sha1_file()

[Junio C Hamano]

(Trivial #1).

Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 builtin-blame.c |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/builtin-blame.c b/builtin-blame.c
index 0519339..dc88a95 100644
--- a/builtin-blame.c
+++ b/builtin-blame.c
@@ -98,6 +98,10 @@ static char *fill_origin_blob(struct origin *o, mmfile_t *file)
 		num_read_blob++;
 		file->ptr = read_sha1_file(o->blob_sha1, &type,
 					   (unsigned long *)(&(file->size)));
+		if (!file->ptr)
+			die("Cannot read blob %s for path %s",
+			    sha1_to_hex(o->blob_sha1),
+			    o->path);
 		o->file = *file;
 	}
 	else
@@ -1384,6 +1388,9 @@ static void get_commit_info(struct commit *commit,
 		unsigned long size;
 		commit->buffer =
 			read_sha1_file(commit->object.sha1, &type, &size);
+		if (!commit->buffer)
+			die("Cannot read commit %s",
+			    sha1_to_hex(commit->object.sha1));
 	}
 	ret->author = author_buf;
 	get_ac_line(commit->buffer, "\nauthor ",
@@ -2382,6 +2389,10 @@ int cmd_blame(int argc, const char **argv, const char *prefix)
 
 		sb.final_buf = read_sha1_file(o->blob_sha1, &type,
 					      &sb.final_buf_size);
+		if (!sb.final_buf)
+			die("Cannot read blob %s for path %s",
+			    sha1_to_hex(o->blob_sha1),
+			    path);
 	}
 	num_read_blob++;
 	lno = prepare_lines(&sb);
-- 
1.5.3.rc6.23.g0058

[PATCH 2/2] pack-objects: check return value from read_sha1_file()

[Junio C Hamano]

(Trivial #2).

Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 builtin-pack-objects.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/builtin-pack-objects.c b/builtin-pack-objects.c
index 77481df..9b3ef94 100644
--- a/builtin-pack-objects.c
+++ b/builtin-pack-objects.c
@@ -1356,6 +1356,9 @@ static int try_delta(struct unpacked *trg, struct unpacked *src,
 	/* Load data if not already done */
 	if (!trg->data) {
 		trg->data = read_sha1_file(trg_entry->idx.sha1, &type, &sz);
+		if (!trg->data)
+			die("object %s cannot be read",
+			    sha1_to_hex(trg_entry->idx.sha1));
 		if (sz != trg_size)
 			die("object %s inconsistent object length (%lu vs %lu)",
 			    sha1_to_hex(trg_entry->idx.sha1), sz, trg_size);
@@ -1363,6 +1366,9 @@ static int try_delta(struct unpacked *trg, struct unpacked *src,
 	}
 	if (!src->data) {
 		src->data = read_sha1_file(src_entry->idx.sha1, &type, &sz);
+		if (!src->data)
+			die("object %s cannot be read",
+			    sha1_to_hex(src_entry->idx.sha1));
 		if (sz != src_size)
 			die("object %s inconsistent object length (%lu vs %lu)",
 			    sha1_to_hex(src_entry->idx.sha1), sz, src_size);
-- 
1.5.3.rc6.23.g0058

Re: [PATCH] Don't segfault if we failed to inflate a packed delta

[Linus Torvalds]

On Sat, 25 Aug 2007, Shawn O. Pearce wrote:
> 
> cate on #git noticed this failure in `git fsck --full` where the
> call to verify_pack() first noticed that the packfile was corrupt
> by finding that the packfile's SHA-1 did not match the raw data of
> the file.  After finding this fsck went ahead and tried to verify
> every object within the packfile, even though the packfile was
> already known to be bad.  If we are going to shovel bad data at
> the delta unpacking code, we better handle it correctly.

Hmm. We should actually make "unpack_entry()" return print an error and 
return NULL for these cases, rather than die, I think.

Most of the callers seem to already check for NULL (not "load_tree()" in 
fast-import.c), but for something like fsck, while "die()" is obviously 
better than a SIGSEGV, we should probably continue and try to see what 
else we find.

(Although, to be honest, it might not matter. If your pack-file is corrupt 
enough for this to trigger, there's seldom anything interesting fsck will 
tell, so in practical terms this probably isn't a big deal).

		Linus

Re: [PATCH] Don't segfault if we failed to inflate a packed delta

[Junio C Hamano]

Linus Torvalds <torvalds@linux-foundation.org> writes:

> Hmm. We should actually make "unpack_entry()" return print an error and 
> return NULL for these cases, rather than die, I think.
>
> Most of the callers seem to already check for NULL (not "load_tree()" in 
> fast-import.c), but for something like fsck, while "die()" is obviously 
> better than a SIGSEGV, we should probably continue and try to see what 
> else we find.
>
> (Although, to be honest, it might not matter. If your pack-file is corrupt 
> enough for this to trigger, there's seldom anything interesting fsck will 
> tell, so in practical terms this probably isn't a big deal).

But if the delta does not apply we already die().  Last night I
and Shawn actually were wondering if it makes sense to have
unpack_entry() die -- quite the opposite of being nicer to fsck.