From: ZheNing Hu <adlternative@xxxxxxxxx>
used_atom.u is an union, and it has different members depending on
what atom the auxiliary data the union part of the "struct
used_atom" wants to record. At most only one of the members can be
valid at any one time. Since the code checks u.remote_ref without
even making sure if the atom is "push" or "push:" (which are only
two cases that u.remote_ref.push becomes valid), but u.remote_ref
shares the same storage for other members of the union, the check
was reading from an invalid member, which was the bug.
Modify the condition here to check whether the atom name
equals to "push" or starts with "push:", to avoid reading the
value of invalid member of the union.
Helped-by: Junio C Hamano <gitster@xxxxxxxxx>
Signed-off-by: ZheNing Hu <adlternative@xxxxxxxxx>
---
[GSOC] ref-filter: fix read invalid union member bug
Change from last version:
Modify the processing method of the condition: check whether the name of
the atom equals to "push" or starts with "pushs", which can enhanced
security, although it may bring string match overhead.
Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-949%2Fadlternative%2Fref-filter-enum-bug-fix-v3
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-949/adlternative/ref-filter-enum-bug-fix-v3
Pull-Request: https://github.com/gitgitgadget/git/pull/949
Range-diff vs v2:
1: 0e1923c9d722 ! 1: 21cf7a44e168 [GSOC] ref-filter: fix read invalid union member bug
@@ Commit message
used_atom.u is an union, and it has different members depending on
what atom the auxiliary data the union part of the "struct
- used_atom" wants to record. At most only one of the members can be
- valid at any one time. Since the code checks u.remote_ref without
+ used_atom" wants to record. At most only one of the members can be
+ valid at any one time. Since the code checks u.remote_ref without
even making sure if the atom is "push" or "push:" (which are only
two cases that u.remote_ref.push becomes valid), but u.remote_ref
shares the same storage for other members of the union, the check
was reading from an invalid member, which was the bug.
- Modify the condition here to first check whether the atom name
- starts with "push", and then check u.remote_ref, to avoid reading
- the value of invalid member of the union.
+ Modify the condition here to check whether the atom name
+ equals to "push" or starts with "push:", to avoid reading the
+ value of invalid member of the union.
Helped-by: Junio C Hamano <gitster@xxxxxxxxx>
Signed-off-by: ZheNing Hu <adlternative@xxxxxxxxx>
@@ ref-filter.c: static int populate_value(struct ref_array_item *ref, struct strbu
v->s = xstrdup("");
continue;
- } else if (atom->u.remote_ref.push) {
-+ } else if (starts_with(name, "push") && atom->u.remote_ref.push) {
++ } else if (!strcmp(atom->name, "push") || starts_with(atom->name, "push:")) {
const char *branch_name;
v->s = xstrdup("");
if (!skip_prefix(ref->refname, "refs/heads/",
ref-filter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ref-filter.c b/ref-filter.c
index a0adb4551d87..213d3773ada3 100644
--- a/ref-filter.c
+++ b/ref-filter.c
@@ -1730,7 +1730,7 @@ static int populate_value(struct ref_array_item *ref, struct strbuf *err)
else
v->s = xstrdup("");
continue;
- } else if (atom->u.remote_ref.push) {
+ } else if (!strcmp(atom->name, "push") || starts_with(atom->name, "push:")) {
const char *branch_name;
v->s = xstrdup("");
if (!skip_prefix(ref->refname, "refs/heads/",
base-commit: 311531c9de557d25ac087c1637818bd2aad6eb3a
--
gitgitgadget
