On Wed, May 23, 2018 at 12:52 PM, Todd Zullinger <tmz@xxxxxxxxx> wrote: > Hi, > > Certain invalid input causes git rev-parse to crash rather > than return a 'fatal: ambiguous argument ...' error. > > This was reported against the Fedora git package: > > https://bugzilla.redhat.com/1581678 > > Simple reproduction recipe and analysis, from the bug: > > $ git init > Initialized empty Git repository in /tmp/t/.git/ > $ git rev-parse ffffffffffffffffffffffffffffffffffffffff^@ > Segmentation fault (core dumped) > > gdb) break lookup_commit_reference > Breakpoint 1 at 0x555555609f00: lookup_commit_reference. (3 locations) > (gdb) r > Starting program: /usr/bin/git rev-parse ffffffffffffffffffffffffffffffffffffffff\^@ > [Thread debugging using libthread_db enabled] > Using host libthread_db library "/lib64/libthread_db.so.1". > > Breakpoint 1, lookup_commit_reference (oid=oid@entry=0x7fffffffd550) at commit.c:34 > 34 return lookup_commit_reference_gently(oid, 0); > (gdb) finish > Run till exit from #0 lookup_commit_reference (oid=oid@entry=0x7fffffffd550) at commit.c:34 > try_parent_shorthands (arg=0x7fffffffdd44 'f' <repeats 40 times>) at builtin/rev-parse.c:314 > 314 include_parents = 1; > Value returned is $1 = (struct commit *) 0x0 > (gdb) c > > (gdb) c > Continuing. > > Program received signal SIGSEGV, Segmentation fault. > try_parent_shorthands (arg=0x7fffffffdd44 'f' <repeats 40 times>) at builtin/rev-parse.c:345 > 345 for (parents = commit->parents, parent_number = 1; > (gdb) l 336,+15 > 336 commit = lookup_commit_reference(&oid); > 337 if (exclude_parent && > 338 exclude_parent > commit_list_count(commit->parents)) { > 339 *dotdot = '^'; > 340 return 0; > 341 } > 342 > 343 if (include_rev) > 344 show_rev(NORMAL, &oid, arg); > 345 for (parents = commit->parents, parent_number = 1; > 346 parents; > 347 parents = parents->next, parent_number++) { > 348 char *name = NULL; > 349 > 350 if (exclude_parent && parent_number != exclude_parent) > 351 continue; > > Looks like a null pointer check is missing. > > This occurs on master and as far back as 1.8.3.1 (what's in > RHEL-6, I didn't try to test anything older). Only a string > with 40 valid hex characters and ^@, @-, of ^! seems to > trigger it. Thanks for the detailed report. This apparently goes back to git-1.6.0 with commit 2122f8b963d4 ("rev-parse: Add support for the ^! and ^@ syntax", 2008-07-26). We aren't checking that the commit from lookup_commit_reference() is non-NULL before proceeding. Looks like it's simple to fix. I'll send a patch shortly...
