[PATCH 0/3] builtin-branch: use strbuf

[PATCH 0/3] builtin-branch: use strbuf

[Miklos Vajna]

These 3 patches do what's in the subject: use the strbuf API instead of
snprintf() / sprintf().

The current risk of writing unallocated memory is low, I think, but
still, the return value of these functions were not checked at several
places.

Miklos Vajna (3):
  builtin-branch: use strbuf in delete_branches()
  builtin-branch: use strbuf in fill_tracking_info()
  builtin-branch: use strbuf in rename_branch()

 builtin-branch.c |   65 +++++++++++++++++++++++++++--------------------------
 1 files changed, 33 insertions(+), 32 deletions(-)

[PATCH 1/3] builtin-branch: use strbuf in delete_branches()

[Miklos Vajna]

In case the length of branch name is greather then PATH_MAX-7, we write
to unallocated memory otherwise.

Signed-off-by: Miklos Vajna <vmiklos@frugalware.org>
---
 builtin-branch.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/builtin-branch.c b/builtin-branch.c
index 2b3613f..b9149b7 100644
--- a/builtin-branch.c
+++ b/builtin-branch.c
@@ -97,7 +97,6 @@ static int delete_branches(int argc, const char **argv, int force, int kinds)
 	unsigned char sha1[20];
 	char *name = NULL;
 	const char *fmt, *remote;
-	char section[PATH_MAX];
 	int i;
 	int ret = 0;
 
@@ -165,11 +164,12 @@ static int delete_branches(int argc, const char **argv, int force, int kinds)
 			       argv[i]);
 			ret = 1;
 		} else {
+			struct strbuf buf = STRBUF_INIT;
 			printf("Deleted %sbranch %s.\n", remote, argv[i]);
-			snprintf(section, sizeof(section), "branch.%s",
-				 argv[i]);
-			if (git_config_rename_section(section, NULL) < 0)
+			strbuf_addf(&buf, "branch.%s", argv[i]);
+			if (git_config_rename_section(buf.buf, NULL) < 0)
 				warning("Update of config-file failed");
+			strbuf_release(&buf);
 		}
 	}
 
-- 
1.6.0.2

[PATCH 2/3] builtin-branch: use strbuf in fill_tracking_info()

[Miklos Vajna]

This is just about using the API, though in case of ~ 10^100 commits,
this would fix the problem of writing to unallocated memory as well. ;-)

Signed-off-by: Miklos Vajna <vmiklos@frugalware.org>
---
 builtin-branch.c |   18 ++++++++----------
 1 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/builtin-branch.c b/builtin-branch.c
index b9149b7..c8a8e2a 100644
--- a/builtin-branch.c
+++ b/builtin-branch.c
@@ -279,7 +279,7 @@ static int ref_cmp(const void *r1, const void *r2)
 	return strcmp(c1->name, c2->name);
 }
 
-static void fill_tracking_info(char *stat, const char *branch_name)
+static void fill_tracking_info(struct strbuf *stat, const char *branch_name)
 {
 	int ours, theirs;
 	struct branch *branch = branch_get(branch_name);
@@ -287,11 +287,11 @@ static void fill_tracking_info(char *stat, const char *branch_name)
 	if (!stat_tracking_info(branch, &ours, &theirs) || (!ours && !theirs))
 		return;
 	if (!ours)
-		sprintf(stat, "[behind %d] ", theirs);
+		strbuf_addf(stat, "[behind %d] ", theirs);
 	else if (!theirs)
-		sprintf(stat, "[ahead %d] ", ours);
+		strbuf_addf(stat, "[ahead %d] ", ours);
 	else
-		sprintf(stat, "[ahead %d, behind %d] ", ours, theirs);
+		strbuf_addf(stat, "[ahead %d, behind %d] ", ours, theirs);
 }
 
 static int matches_merge_filter(struct commit *commit)
@@ -334,11 +334,8 @@ static void print_ref_item(struct ref_item *item, int maxwidth, int verbose,
 	}
 
 	if (verbose) {
-		struct strbuf subject = STRBUF_INIT;
+		struct strbuf subject = STRBUF_INIT, stat = STRBUF_INIT;
 		const char *sub = " **** invalid ref ****";
-		char stat[128];
-
-		stat[0] = '\0';
 
 		commit = item->commit;
 		if (commit && !parse_commit(commit)) {
@@ -348,13 +345,14 @@ static void print_ref_item(struct ref_item *item, int maxwidth, int verbose,
 		}
 
 		if (item->kind == REF_LOCAL_BRANCH)
-			fill_tracking_info(stat, item->name);
+			fill_tracking_info(&stat, item->name);
 
 		printf("%c %s%-*s%s %s %s%s\n", c, branch_get_color(color),
 		       maxwidth, item->name,
 		       branch_get_color(COLOR_BRANCH_RESET),
 		       find_unique_abbrev(item->commit->object.sha1, abbrev),
-		       stat, sub);
+		       stat.buf, sub);
+		strbuf_release(&stat);
 		strbuf_release(&subject);
 	} else {
 		printf("%c %s%s%s\n", c, branch_get_color(color), item->name,
-- 
1.6.0.2

[PATCH 3/3] builtin-branch: use strbuf in rename_branch()

[Miklos Vajna]

In case the length of branch name is greather then PATH_MAX-11, we write
to unallocated memory otherwise.

Signed-off-by: Miklos Vajna <vmiklos@frugalware.org>
---
 builtin-branch.c |   39 +++++++++++++++++++++------------------
 1 files changed, 21 insertions(+), 18 deletions(-)

diff --git a/builtin-branch.c b/builtin-branch.c
index c8a8e2a..494cbac 100644
--- a/builtin-branch.c
+++ b/builtin-branch.c
@@ -424,42 +424,45 @@ static void print_ref_list(int kinds, int detached, int verbose, int abbrev, str
 
 static void rename_branch(const char *oldname, const char *newname, int force)
 {
-	char oldref[PATH_MAX], newref[PATH_MAX], logmsg[PATH_MAX*2 + 100];
+	struct strbuf oldref = STRBUF_INIT, newref = STRBUF_INIT, logmsg = STRBUF_INIT;
 	unsigned char sha1[20];
-	char oldsection[PATH_MAX], newsection[PATH_MAX];
+	struct strbuf oldsection = STRBUF_INIT, newsection = STRBUF_INIT;
 
 	if (!oldname)
 		die("cannot rename the current branch while not on any.");
 
-	if (snprintf(oldref, sizeof(oldref), "refs/heads/%s", oldname) > sizeof(oldref))
-		die("Old branchname too long");
+	strbuf_addf(&oldref, "refs/heads/%s", oldname);
 
-	if (check_ref_format(oldref))
-		die("Invalid branch name: %s", oldref);
+	if (check_ref_format(oldref.buf))
+		die("Invalid branch name: %s", oldref.buf);
 
-	if (snprintf(newref, sizeof(newref), "refs/heads/%s", newname) > sizeof(newref))
-		die("New branchname too long");
+	strbuf_addf(&newref, "refs/heads/%s", newname);
 
-	if (check_ref_format(newref))
-		die("Invalid branch name: %s", newref);
+	if (check_ref_format(newref.buf))
+		die("Invalid branch name: %s", newref.buf);
 
-	if (resolve_ref(newref, sha1, 1, NULL) && !force)
+	if (resolve_ref(newref.buf, sha1, 1, NULL) && !force)
 		die("A branch named '%s' already exists.", newname);
 
-	snprintf(logmsg, sizeof(logmsg), "Branch: renamed %s to %s",
-		 oldref, newref);
+	strbuf_addf(&logmsg, "Branch: renamed %s to %s",
+		 oldref.buf, newref.buf);
 
-	if (rename_ref(oldref, newref, logmsg))
+	if (rename_ref(oldref.buf, newref.buf, logmsg.buf))
 		die("Branch rename failed");
+	strbuf_release(&logmsg);
 
 	/* no need to pass logmsg here as HEAD didn't really move */
-	if (!strcmp(oldname, head) && create_symref("HEAD", newref, NULL))
+	if (!strcmp(oldname, head) && create_symref("HEAD", newref.buf, NULL))
 		die("Branch renamed to %s, but HEAD is not updated!", newname);
 
-	snprintf(oldsection, sizeof(oldsection), "branch.%s", oldref + 11);
-	snprintf(newsection, sizeof(newsection), "branch.%s", newref + 11);
-	if (git_config_rename_section(oldsection, newsection) < 0)
+	strbuf_addf(&oldsection, "branch.%s", oldref.buf + 11);
+	strbuf_release(&oldref);
+	strbuf_addf(&newsection, "branch.%s", newref.buf + 11);
+	strbuf_release(&newref);
+	if (git_config_rename_section(oldsection.buf, newsection.buf) < 0)
 		die("Branch is renamed, but update of config-file failed");
+	strbuf_release(&oldsection);
+	strbuf_release(&newsection);
 }
 
 static int opt_parse_with_commit(const struct option *opt, const char *arg, int unset)
-- 
1.6.0.2

Re: [PATCH 3/3] builtin-branch: use strbuf in rename_branch()

[Junio C Hamano]

Miklos Vajna <vmiklos@frugalware.org> writes:

> In case the length of branch name is greather then PATH_MAX-11, we write
> to unallocated memory otherwise.

True for {old,new}section.

I'll apply three patches from you as-is.  Thanks.

Having said that,

> -	snprintf(logmsg, sizeof(logmsg), "Branch: renamed %s to %s",
> -		 oldref, newref);
> +	strbuf_addf(&logmsg, "Branch: renamed %s to %s",
> +		 oldref.buf, newref.buf);

I am wondering why nobody has complained until now, but shouldn't this be
oldname and newname?  

    Reflog message: Branch: renamed refs/heads/master to refs/heads/naster

does not feel right, even though it is perfectly understandable to people
who know the internal (i.e. branches are implemented as a ref in
refs/heads hierarchy).

Rewording of the above, if it is ever done, has to be a separate commit,
and it is a behaviour change (if some third-party tool is reading and
parsing the reflog we will break it) which I do not particularly think is
worth doing.

I am mentioning this only because I just noticed it (and do not want to do
the thinking myself ;-).

Re: [PATCH 3/3] builtin-branch: use strbuf in rename_branch()

[Johannes Schindelin]

Hi,

On Tue, 18 Nov 2008, Junio C Hamano wrote:

> Miklos Vajna <vmiklos@frugalware.org> writes:
> 
> > -	snprintf(logmsg, sizeof(logmsg), "Branch: renamed %s to %s",
> > -		 oldref, newref);
> > +	strbuf_addf(&logmsg, "Branch: renamed %s to %s",
> > +		 oldref.buf, newref.buf);
> 
> I am wondering why nobody has complained until now, but shouldn't this 
> be oldname and newname?

I think that was the intention.  Lars?

Ciao,
Dscho

Re: [PATCH 3/3] builtin-branch: use strbuf in rename_branch()

[Lars Hjemli]

On Wed, Nov 19, 2008 at 02:11, Johannes Schindelin
<Johannes.Schindelin@gmx.de> wrote:
> Hi,
>
> On Tue, 18 Nov 2008, Junio C Hamano wrote:
>
>> Miklos Vajna <vmiklos@frugalware.org> writes:
>>
>> > -   snprintf(logmsg, sizeof(logmsg), "Branch: renamed %s to %s",
>> > -            oldref, newref);
>> > +   strbuf_addf(&logmsg, "Branch: renamed %s to %s",
>> > +            oldref.buf, newref.buf);
>>
>> I am wondering why nobody has complained until now, but shouldn't this
>> be oldname and newname?
>
> I think that was the intention.  Lars?

Some background: the message was first generated internally (in
c976d415) by refs.c:rename_ref() and thus it made sense to use the
full refname. Sometime later (in 678d0f4c), rename_ref() was modified
to get the message as an argument from
builtin_branch.c:rename_branch() but the format of the message was
kept (almost) identical.

Personally, I think it's nice if the reflog contains the full refname.

--
larsh