BUG: rev-parse segfault with invalid input

Todd Zullinger <tmz@xxxxxxxxx> · Wed, 23 May 2018 15:52:27 -0400

Hi,

Certain invalid input causes git rev-parse to crash rather
than return a 'fatal: ambiguous argument ...' error.

This was reported against the Fedora git package:

    https://bugzilla.redhat.com/1581678

Simple reproduction recipe and analysis, from the bug:

    $ git init
    Initialized empty Git repository in /tmp/t/.git/
    $ git rev-parse ffffffffffffffffffffffffffffffffffffffff^@
    Segmentation fault (core dumped)

    gdb) break lookup_commit_reference
    Breakpoint 1 at 0x555555609f00: lookup_commit_reference. (3 locations)
    (gdb) r
    Starting program: /usr/bin/git rev-parse ffffffffffffffffffffffffffffffffffffffff\^@
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib64/libthread_db.so.1".

    Breakpoint 1, lookup_commit_reference (oid=oid@entry=0x7fffffffd550) at commit.c:34
    34              return lookup_commit_reference_gently(oid, 0);
    (gdb) finish
    Run till exit from #0  lookup_commit_reference (oid=oid@entry=0x7fffffffd550) at commit.c:34
    try_parent_shorthands (arg=0x7fffffffdd44 'f' <repeats 40 times>) at builtin/rev-parse.c:314
    314                     include_parents = 1;
    Value returned is $1 = (struct commit *) 0x0
    (gdb) c

    (gdb) c
    Continuing.

    Program received signal SIGSEGV, Segmentation fault.
    try_parent_shorthands (arg=0x7fffffffdd44 'f' <repeats 40 times>) at builtin/rev-parse.c:345
    345             for (parents = commit->parents, parent_number = 1;
    (gdb) l 336,+15
    336             commit = lookup_commit_reference(&oid);
    337             if (exclude_parent &&
    338                 exclude_parent > commit_list_count(commit->parents)) {
    339                     *dotdot = '^';
    340                     return 0;
    341             }
    342     
    343             if (include_rev)
    344                     show_rev(NORMAL, &oid, arg);
    345             for (parents = commit->parents, parent_number = 1;
    346                  parents;
    347                  parents = parents->next, parent_number++) {
    348                     char *name = NULL;
    349     
    350                     if (exclude_parent && parent_number != exclude_parent)
    351                             continue;

    Looks like a null pointer check is missing.

This occurs on master and as far back as 1.8.3.1 (what's in
RHEL-6, I didn't try to test anything older).  Only a string
with 40 valid hex characters and ^@, @-, of ^!  seems to
trigger it.

-- 
Todd
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I don't mind arguing with myself. It's when I lose that it bothers me.
    -- Richard Powers