TODO: Assert the preceding change, doesn't work...

avar · avar · commit 7088cbea2d5b · 2022-09-14T21:32:15.000+02:00
This fails with e.g. this t9350-fast-export.sh test, perhaps we have a \0-delimited and use that last byte for an implicit \n? + git tag -a -m valentin muss ================================================================= ==32504==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d0000005ab at pc 0x556431ac3cac bp 0x7ffe67fcff50 sp 0x7ffe67fcff48 READ of size 1 at 0x60d0000005ab thread T0 #0 0x556431ac3cab in parse_tag_buffer tag.c:155 #1 0x5564319194f3 in parse_object_buffer object.c:245 #2 0x556431919a11 in parse_object object.c:298 #3 0x5564319e2e96 in write_ref_to_lockfile refs/files-backend.c:1781 #4 0x5564319e71e8 in lock_ref_for_update refs/files-backend.c:2590 #5 0x5564319e7db5 in files_transaction_prepare refs/files-backend.c:2763 git#6 0x5564319d41d9 in ref_transaction_prepare refs.c:2146 #7 0x5564319d4465 in ref_transaction_commit refs.c:2195 git#8 0x5564316706b9 in cmd_tag builtin/tag.c:630 git#9 0x5564314168ff in run_builtin git.c:466 git#10 0x5564314172ab in handle_builtin git.c:720 git#11 0x5564314179d5 in run_argv git.c:787 git#12 0x55643141874f in cmd_main git.c:920 git#13 0x556431695a4d in main common-main.c:56 git#14 0x7fa9ba2aa81c in __libc_start_main ../csu/libc-start.c:332 git#15 0x556431412209 in _start (git+0x1d2209) 0x60d0000005ab is located 0 bytes to the right of 139-byte region [0x60d000000520,0x60d0000005ab) allocated by thread T0 here: #0 0x7fa9ba5fc9cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69 #1 0x556431b3f334 in do_xmalloc wrapper.c:51 #2 0x556431b3f43a in do_xmallocz wrapper.c:85 #3 0x556431b3f4ab in xmallocz wrapper.c:93 #4 0x556431902114 in unpack_loose_rest object-file.c:1312 #5 0x556431902ed9 in loose_object_info object-file.c:1479 git#6 0x556431903785 in do_oid_object_info_extended object-file.c:1577 #7 0x556431903b2d in oid_object_info_extended object-file.c:1639 git#8 0x556431903f3f in read_object object-file.c:1671 git#9 0x5564319043c7 in read_object_file_extended object-file.c:1714 git#10 0x556431917ff0 in repo_read_object_file object-store.h:253 git#11 0x5564319198b3 in parse_object object.c:290 git#12 0x5564319e2e96 in write_ref_to_lockfile refs/files-backend.c:1781 git#13 0x5564319e71e8 in lock_ref_for_update refs/files-backend.c:2590 git#14 0x5564319e7db5 in files_transaction_prepare refs/files-backend.c:2763 git#15 0x5564319d41d9 in ref_transaction_prepare refs.c:2146 git#16 0x5564319d4465 in ref_transaction_commit refs.c:2195 git#17 0x5564316706b9 in cmd_tag builtin/tag.c:630 git#18 0x5564314168ff in run_builtin git.c:466 git#19 0x5564314172ab in handle_builtin git.c:720 git#20 0x5564314179d5 in run_argv git.c:787 git#21 0x55643141874f in cmd_main git.c:920 git#22 0x556431695a4d in main common-main.c:56 git#23 0x7fa9ba2aa81c in __libc_start_main ../csu/libc-start.c:332 git#24 0x556431412209 in _start (git+0x1d2209) SUMMARY: AddressSanitizer: heap-buffer-overflow tag.c:155 in parse_tag_buffer Shadow bytes around the buggy address: 0x0c1a7fff8060: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa 0x0c1a7fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1a7fff8080: 00 03 fa fa fa fa fa fa fa fa fd fd fd fd fd fd 0x0c1a7fff8090: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa 0x0c1a7fff80a0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c1a7fff80b0: 00 00 00 00 00[03]fa fa fa fa fa fa fa fa fa fa 0x0c1a7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a7fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a7fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a7fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a7fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
diff --git a/tag.c b/tag.c
@@ -141,6 +141,9 @@ int parse_tag_buffer(struct repository *r, struct tag *item, const void *data, u
 	const char *tail = bufptr + size;
 	const char *nl;
 
+	if (0 && *(tail + 1) != '\0')
+		BUG("TODO: assert \\0-delimited buffer!");
+
 	if (item->object.parsed)
 		return 0;
 
