Am 31.03.2017 um 03:39 schrieb brian m. carlson:
> @@ -1081,10 +1081,10 @@ static const char *update(struct command *cmd, struct shallow_info *si)
> return "hook declined";
> }
>
> - if (is_null_sha1(new_sha1)) {
> + if (is_null_oid(new_oid)) {
> struct strbuf err = STRBUF_INIT;
> - if (!parse_object(old_sha1)) {
> - old_sha1 = NULL;
> + if (!parse_object(old_oid->hash)) {
> + old_oid = NULL;
So old_oid can become NULL...
> if (ref_exists(name)) {
> rp_warning("Allowing deletion of corrupt ref.");
> } else {
> @@ -1094,7 +1094,7 @@ static const char *update(struct command *cmd, struct shallow_info *si)
> }
> if (ref_transaction_delete(transaction,
> namespaced_name,
> - old_sha1,
> + old_oid->hash,
... and here we dereference it.
-- >8 --
Subject: [PATCH] receive-pack: don't access hash of NULL object_id pointer
We set old_oid to NULL if we found out that it's a corrupt reference.
In that case don't try to access the hash member and pass NULL to
ref_transaction_delete() instead.
Found with Clang's UBSan.
Signed-off-by: Rene Scharfe <l.s.r@xxxxxx>
---
That's the last bug of this kind which "make SANITIZE=undefined test"
turned up.
builtin/receive-pack.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/builtin/receive-pack.c b/builtin/receive-pack.c
index cabdc55e09..946cf55138 100644
--- a/builtin/receive-pack.c
+++ b/builtin/receive-pack.c
@@ -1138,7 +1138,7 @@ static const char *update(struct command *cmd, struct shallow_info *si)
}
if (ref_transaction_delete(transaction,
namespaced_name,
- old_oid->hash,
+ old_oid ? old_oid->hash : NULL,
0, "push", &err)) {
rp_error("%s", err.buf);
strbuf_release(&err);
--
2.13.3
