Hi all,
I'm working on a C++ static analyzer (Vigilant Sentry), and git
is one of my test subjects. In git-1.6.6, I found a crash in the
fast-export command:
The problem is in builtin-fast-export.c, function export_marks:
f = fopen(file, "w");
if (!f)
error("Unable to open marks file %s for writing.", file);
for (i = 0; i < idnums.size; i++) {
if (deco->base && deco->base->type == 1) {
mark = ptr_to_mark(deco->decoration);
if (fprintf(f, ":%"PRIu32" %s\n", mark,
sha1_to_hex(deco->base->sha1)) < 0) {
e = 1;
break;
}
}
deco++;
}
e |= ferror(f);
e |= fclose(f);
If fopen() fails, the error message is printed, but the function
doesn't exit. The subsequent calls to fprintf and/or ferror will
fail because f is NULL. A simple way to reproduce is to export
to a path you don't have write access to:
$ git fast-export --export-marks=/foo
error: Unable to open marks file /foo for writing.
Segmentation fault (core dumped)
I've attached a trivial patch that calls die_errno instead of
error, so the program exits if f is NULL.
Regards,
Mike
--
Mike Mueller
mmueller@xxxxxxxxxxxxxx
http://www.vigilantsw.com/
diff --git a/builtin-fast-export.c b/builtin-fast-export.c
index b0a4029..963e89b 100644
--- a/builtin-fast-export.c
+++ b/builtin-fast-export.c
@@ -503,7 +503,7 @@ static void export_marks(char *file)
f = fopen(file, "w");
if (!f)
- error("Unable to open marks file %s for writing.", file);
+ die_errno("Unable to open marks file %s for writing", file);
for (i = 0; i < idnums.size; i++) {
if (deco->base && deco->base->type == 1) {