On 2019-09-15 at 12:10:28, René Scharfe wrote:
> Reject values that don't fit into an int, as get_parent() and
> get_nth_ancestor() cannot handle them. That's better than potentially
> returning a random object.
>
> If this restriction turns out to be too tight then we can switch to a
> wider data type, but we'd still have to check for overflow.
Certainly we want Git to perform as well as possible on large
repositories, but I doubt if it will scale to more than 2 billion
revisions, even with significant effort. I think this restriction
should be fine.
> diff --git a/sha1-name.c b/sha1-name.c
> index c665e3f96d..7a047e9e2b 100644
> --- a/sha1-name.c
> +++ b/sha1-name.c
> @@ -1160,13 +1160,22 @@ static enum get_oid_result get_oid_1(struct repository *r,
> }
>
> if (has_suffix) {
> - int num = 0;
> + unsigned int num = 0;
> int len1 = cp - name;
> cp++;
> - while (cp < name + len)
> - num = num * 10 + *cp++ - '0';
> + while (cp < name + len) {
> + unsigned int digit = *cp++ - '0';
> + if (unsigned_mult_overflows(num, 10))
> + return MISSING_OBJECT;
> + num *= 10;
> + if (unsigned_add_overflows(num, digit))
> + return MISSING_OBJECT;
I was worried whether these functions only handled size_t or if they
also handle unsigned int, but I checked and they seem to be fine for any
unsigned type.
> + num += digit;
> + }
> if (!num && len1 == len - 1)
> num = 1;
> + else if (num > INT_MAX)
> + return MISSING_OBJECT;
> if (has_suffix == '^')
> return get_parent(r, name, len1, oid, num);
> /* else if (has_suffix == '~') -- goes without saying */
This approach seems reasonable. I must admit some curiosity as to how
you discovered this issue, though. Did you have a cat assisting you in
typing revisions?
--
brian m. carlson: Houston, Texas, US
OpenPGP: https://keybase.io/bk2204
Attachment:
signature.asc
Description: PGP signature
