f53c5de29c
'git {log,diff,...} -S<...> --pickaxe-regex' can segfault as a result
of out-of-bounds memory reads.
diffcore-pickaxe.c:contains() looks for all matches of the given regex
in a buffer in a loop, advancing the buffer pointer to the end of the
last match in each iteration. When we switched to REG_STARTEND in
b7d36ffca (regex: use regexec_buf(), 2016-09-21), we started passing
the size of that buffer to the regexp engine, too. Unfortunately,
this buffer size is never updated on subsequent iterations, and as the
buffer pointer advances on each iteration, this "bufptr+bufsize"
points past the end of the buffer. This results in segmentation
fault, if that memory can't be accessed. In case of 'git log' it can
also result in erroneously listed commits, if the memory past the end
of buffer is accessible and happens to contain data matching the
regex.
Reduce the buffer size on each iteration as the buffer pointer is
advanced, thus maintaining the correct end of buffer location.
Furthermore, make sure that the buffer pointer is not dereferenced in
the control flow statements when we already reached the end of the
buffer.
The new test is flaky, I've never seen it fail on my Linux box even
without the fix, but this is expected according to db5dfa3 (regex:
-G<pattern> feeds a non NUL-terminated string to regexec() and fails,
2016-09-21). However, it did fail on Travis CI with the first (and
incomplete) version of the fix, and based on that commit message I
would expect the new test without the fix to fail most of the time on
Windows.
Signed-off-by: SZEDER Gábor <szeder.dev@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
240 lines
5.7 KiB
C
240 lines
5.7 KiB
C
/*
|
|
* Copyright (C) 2005 Junio C Hamano
|
|
* Copyright (C) 2010 Google Inc.
|
|
*/
|
|
#include "cache.h"
|
|
#include "diff.h"
|
|
#include "diffcore.h"
|
|
#include "xdiff-interface.h"
|
|
#include "kwset.h"
|
|
|
|
typedef int (*pickaxe_fn)(mmfile_t *one, mmfile_t *two,
|
|
struct diff_options *o,
|
|
regex_t *regexp, kwset_t kws);
|
|
|
|
struct diffgrep_cb {
|
|
regex_t *regexp;
|
|
int hit;
|
|
};
|
|
|
|
static void diffgrep_consume(void *priv, char *line, unsigned long len)
|
|
{
|
|
struct diffgrep_cb *data = priv;
|
|
regmatch_t regmatch;
|
|
|
|
if (line[0] != '+' && line[0] != '-')
|
|
return;
|
|
if (data->hit)
|
|
/*
|
|
* NEEDSWORK: we should have a way to terminate the
|
|
* caller early.
|
|
*/
|
|
return;
|
|
data->hit = !regexec_buf(data->regexp, line + 1, len - 1, 1,
|
|
®match, 0);
|
|
}
|
|
|
|
static int diff_grep(mmfile_t *one, mmfile_t *two,
|
|
struct diff_options *o,
|
|
regex_t *regexp, kwset_t kws)
|
|
{
|
|
regmatch_t regmatch;
|
|
struct diffgrep_cb ecbdata;
|
|
xpparam_t xpp;
|
|
xdemitconf_t xecfg;
|
|
|
|
if (!one)
|
|
return !regexec_buf(regexp, two->ptr, two->size,
|
|
1, ®match, 0);
|
|
if (!two)
|
|
return !regexec_buf(regexp, one->ptr, one->size,
|
|
1, ®match, 0);
|
|
|
|
/*
|
|
* We have both sides; need to run textual diff and see if
|
|
* the pattern appears on added/deleted lines.
|
|
*/
|
|
memset(&xpp, 0, sizeof(xpp));
|
|
memset(&xecfg, 0, sizeof(xecfg));
|
|
ecbdata.regexp = regexp;
|
|
ecbdata.hit = 0;
|
|
xecfg.ctxlen = o->context;
|
|
xecfg.interhunkctxlen = o->interhunkcontext;
|
|
if (xdi_diff_outf(one, two, diffgrep_consume, &ecbdata, &xpp, &xecfg))
|
|
return 0;
|
|
return ecbdata.hit;
|
|
}
|
|
|
|
static unsigned int contains(mmfile_t *mf, regex_t *regexp, kwset_t kws)
|
|
{
|
|
unsigned int cnt;
|
|
unsigned long sz;
|
|
const char *data;
|
|
|
|
sz = mf->size;
|
|
data = mf->ptr;
|
|
cnt = 0;
|
|
|
|
if (regexp) {
|
|
regmatch_t regmatch;
|
|
int flags = 0;
|
|
|
|
while (sz && *data &&
|
|
!regexec_buf(regexp, data, sz, 1, ®match, flags)) {
|
|
flags |= REG_NOTBOL;
|
|
data += regmatch.rm_eo;
|
|
sz -= regmatch.rm_eo;
|
|
if (sz && *data && regmatch.rm_so == regmatch.rm_eo) {
|
|
data++;
|
|
sz--;
|
|
}
|
|
cnt++;
|
|
}
|
|
|
|
} else { /* Classic exact string match */
|
|
while (sz) {
|
|
struct kwsmatch kwsm;
|
|
size_t offset = kwsexec(kws, data, sz, &kwsm);
|
|
if (offset == -1)
|
|
break;
|
|
sz -= offset + kwsm.size[0];
|
|
data += offset + kwsm.size[0];
|
|
cnt++;
|
|
}
|
|
}
|
|
return cnt;
|
|
}
|
|
|
|
static int has_changes(mmfile_t *one, mmfile_t *two,
|
|
struct diff_options *o,
|
|
regex_t *regexp, kwset_t kws)
|
|
{
|
|
unsigned int one_contains = one ? contains(one, regexp, kws) : 0;
|
|
unsigned int two_contains = two ? contains(two, regexp, kws) : 0;
|
|
return one_contains != two_contains;
|
|
}
|
|
|
|
static int pickaxe_match(struct diff_filepair *p, struct diff_options *o,
|
|
regex_t *regexp, kwset_t kws, pickaxe_fn fn)
|
|
{
|
|
struct userdiff_driver *textconv_one = NULL;
|
|
struct userdiff_driver *textconv_two = NULL;
|
|
mmfile_t mf1, mf2;
|
|
int ret;
|
|
|
|
if (!o->pickaxe[0])
|
|
return 0;
|
|
|
|
/* ignore unmerged */
|
|
if (!DIFF_FILE_VALID(p->one) && !DIFF_FILE_VALID(p->two))
|
|
return 0;
|
|
|
|
if (DIFF_OPT_TST(o, ALLOW_TEXTCONV)) {
|
|
textconv_one = get_textconv(p->one);
|
|
textconv_two = get_textconv(p->two);
|
|
}
|
|
|
|
/*
|
|
* If we have an unmodified pair, we know that the count will be the
|
|
* same and don't even have to load the blobs. Unless textconv is in
|
|
* play, _and_ we are using two different textconv filters (e.g.,
|
|
* because a pair is an exact rename with different textconv attributes
|
|
* for each side, which might generate different content).
|
|
*/
|
|
if (textconv_one == textconv_two && diff_unmodified_pair(p))
|
|
return 0;
|
|
|
|
mf1.size = fill_textconv(textconv_one, p->one, &mf1.ptr);
|
|
mf2.size = fill_textconv(textconv_two, p->two, &mf2.ptr);
|
|
|
|
ret = fn(DIFF_FILE_VALID(p->one) ? &mf1 : NULL,
|
|
DIFF_FILE_VALID(p->two) ? &mf2 : NULL,
|
|
o, regexp, kws);
|
|
|
|
if (textconv_one)
|
|
free(mf1.ptr);
|
|
if (textconv_two)
|
|
free(mf2.ptr);
|
|
diff_free_filespec_data(p->one);
|
|
diff_free_filespec_data(p->two);
|
|
|
|
return ret;
|
|
}
|
|
|
|
static void pickaxe(struct diff_queue_struct *q, struct diff_options *o,
|
|
regex_t *regexp, kwset_t kws, pickaxe_fn fn)
|
|
{
|
|
int i;
|
|
struct diff_queue_struct outq;
|
|
|
|
DIFF_QUEUE_CLEAR(&outq);
|
|
|
|
if (o->pickaxe_opts & DIFF_PICKAXE_ALL) {
|
|
/* Showing the whole changeset if needle exists */
|
|
for (i = 0; i < q->nr; i++) {
|
|
struct diff_filepair *p = q->queue[i];
|
|
if (pickaxe_match(p, o, regexp, kws, fn))
|
|
return; /* do not munge the queue */
|
|
}
|
|
|
|
/*
|
|
* Otherwise we will clear the whole queue by copying
|
|
* the empty outq at the end of this function, but
|
|
* first clear the current entries in the queue.
|
|
*/
|
|
for (i = 0; i < q->nr; i++)
|
|
diff_free_filepair(q->queue[i]);
|
|
} else {
|
|
/* Showing only the filepairs that has the needle */
|
|
for (i = 0; i < q->nr; i++) {
|
|
struct diff_filepair *p = q->queue[i];
|
|
if (pickaxe_match(p, o, regexp, kws, fn))
|
|
diff_q(&outq, p);
|
|
else
|
|
diff_free_filepair(p);
|
|
}
|
|
}
|
|
|
|
free(q->queue);
|
|
*q = outq;
|
|
}
|
|
|
|
void diffcore_pickaxe(struct diff_options *o)
|
|
{
|
|
const char *needle = o->pickaxe;
|
|
int opts = o->pickaxe_opts;
|
|
regex_t regex, *regexp = NULL;
|
|
kwset_t kws = NULL;
|
|
|
|
if (opts & (DIFF_PICKAXE_REGEX | DIFF_PICKAXE_KIND_G)) {
|
|
int err;
|
|
int cflags = REG_EXTENDED | REG_NEWLINE;
|
|
if (DIFF_OPT_TST(o, PICKAXE_IGNORE_CASE))
|
|
cflags |= REG_ICASE;
|
|
err = regcomp(®ex, needle, cflags);
|
|
if (err) {
|
|
/* The POSIX.2 people are surely sick */
|
|
char errbuf[1024];
|
|
regerror(err, ®ex, errbuf, 1024);
|
|
regfree(®ex);
|
|
die("invalid regex: %s", errbuf);
|
|
}
|
|
regexp = ®ex;
|
|
} else {
|
|
kws = kwsalloc(DIFF_OPT_TST(o, PICKAXE_IGNORE_CASE)
|
|
? tolower_trans_tbl : NULL);
|
|
kwsincr(kws, needle, strlen(needle));
|
|
kwsprep(kws);
|
|
}
|
|
|
|
/* Might want to warn when both S and G are on; I don't care... */
|
|
pickaxe(&diff_queued_diff, o, regexp, kws,
|
|
(opts & DIFF_PICKAXE_KIND_G) ? diff_grep : has_changes);
|
|
|
|
if (regexp)
|
|
regfree(regexp);
|
|
else
|
|
kwsfree(kws);
|
|
return;
|
|
}
|