Hi,
On Thu, 14 Feb 2008, Martin Koegler wrote:
> diff --git a/commit.c b/commit.c
> index 8b8fb04..53f0042 100644
> --- a/commit.c
> +++ b/commit.c
> @@ -311,6 +311,8 @@ int parse_commit(struct commit *item)
> unsigned long size;
> int ret;
>
> + if (!item)
> + return -1;
Yeah, I just grepped for users of parse_commit(), and there are just too
many, so this change makes sense.
> @@ -385,8 +387,7 @@ struct commit *pop_most_recent_commit(struct commit_list **list,
>
> while (parents) {
> struct commit *commit = parents->item;
> - parse_commit(commit);
> - if (!(commit->object.flags & mark)) {
> + if (!parse_commit(commit) && !(commit->object.flags & mark)) {
This makes sense, too.
> @@ -552,8 +553,10 @@ static struct commit_list *merge_bases(struct commit *one, struct commit *two)
> */
> return commit_list_insert(one, &result);
>
> - parse_commit(one);
> - parse_commit(two);
> + if (parse_commit(one))
> + die("invalid commit");
> + if (parse_commit(two))
> + die("invalid commit");
I'd rather have this return NULL after displaying an error. After all,
merge_bases() is sort of "libified".
BTW a simple "git grep parse_commit\( | grep -vwe if -e gitweb" shows
this:
builtin-blame.c: parse_commit(commit);
builtin-checkout.c: parse_commit(commit);
builtin-checkout.c: parse_commit(old->commit);
builtin-checkout.c: parse_commit(new->commit);
builtin-checkout.c: parse_commit(new.commit);
builtin-describe.c: parse_commit(p);
builtin-describe.c: parse_commit(p);
builtin-fast-export.c: parse_commit(commit);
builtin-fast-export.c: parse_commit(commit->parents->item);
builtin-fetch-pack.c: parse_commit(commit);
builtin-fetch-pack.c: parse_commit(commit);
builtin-fetch-pack.c: parse_commit(commit);
builtin-name-rev.c: parse_commit(commit);
builtin-show-branch.c: parse_commit(p);
builtin-show-branch.c: parse_commit(commit);
commit.c:int parse_commit(struct commit *item)
commit.c: parse_commit(commit);
commit.c: parse_commit(one);
commit.c: parse_commit(two);
commit.c: parse_commit(p);
commit.h:int parse_commit(struct commit *item);
contrib/gitview/gitview: self.parse_commit(commit_lines)
contrib/gitview/gitview: def parse_commit(self, commit_lines):
shallow.c: parse_commit(commit);
upload-pack.c: parse_commit((struct commit *)object);
A few of those need checking, too, I think.
> @@ -584,9 +587,12 @@ static struct commit_list *merge_bases(struct commit *one, struct commit *two)
> while (parents) {
> struct commit *p = parents->item;
> parents = parents->next;
> + if (!p)
> + die("invalid commit");
> if ((p->object.flags & flags) == flags)
> continue;
> - parse_commit(p);
> + if(parse_commit(p))
> + die("invalid commit");
> p->object.flags |= flags;
> insert_by_date(p, &list);
> }
Again, please do not die() in merge_bases().
> diff --git a/revision.c b/revision.c
> index 6e85aaa..9f8723d 100644
> --- a/revision.c
> +++ b/revision.c
> @@ -46,6 +46,8 @@ void add_object(struct object *obj,
>
> static void mark_blob_uninteresting(struct blob *blob)
> {
> + if (!blob)
> + return;
IMHO not needed [*1*]. The first user of this (static) function calls it
with lookup_blob(), which assumes that the blob has been read already.
The second uses a checked object.
> @@ -57,6 +59,8 @@ void mark_tree_uninteresting(struct tree *tree)
> struct name_entry entry;
> struct object *obj = &tree->object;
>
> + if (!obj)
> + return;
Same here.
> @@ -94,6 +98,8 @@ void mark_parents_uninteresting(struct commit *commit)
>
> while (parents) {
> struct commit *commit = parents->item;
> + if (!commit)
> + continue;
Can parents->item really be NULL? I think not. And indeed, a little
search reveals that parse_commit_buffer() does this when it constructs the
parents list, and encounters an invalid SHA-1:
return error("bad parents in commit %s", sha1_to_hex(item->object.sha1));
In case it is a valid SHA-1, but not a commit, it is ignored.
> @@ -173,6 +179,8 @@ static struct commit *handle_commit(struct rev_info *revs, struct object *object
> struct tag *tag = (struct tag *) object;
> if (revs->tag_objects && !(flags & UNINTERESTING))
> add_pending_object(revs, object, tag->tag);
> + if (!tag->tagged)
> + die("bad tag");
I haven't looked yet, but I suspect that this is as impossible as the
invalid parent.
> @@ -685,12 +693,16 @@ static int add_parents_only(struct rev_info *revs, const char *arg, int flags)
> it = get_reference(revs, arg, sha1, 0);
> if (it->type != OBJ_TAG)
> break;
> + if (!((struct tag*)it)->tagged)
> + return 0;
See above.
> hashcpy(sha1, ((struct tag*)it)->tagged->sha1);
> }
> if (it->type != OBJ_COMMIT)
> return 0;
> commit = (struct commit *)it;
> for (parents = commit->parents; parents; parents = parents->next) {
> + if (!parents->item)
> + continue;
See above.
> diff --git a/sha1_file.c b/sha1_file.c
> index 4179949..c25ce64 100644
> --- a/sha1_file.c
> +++ b/sha1_file.c
> @@ -1943,7 +1943,8 @@ void *read_object_with_reference(const unsigned char *sha1,
> }
> ref_length = strlen(ref_type);
>
> - if (memcmp(buffer, ref_type, ref_length) ||
> + if (ref_length + 40 >= size ||
> + memcmp(buffer, ref_type, ref_length) ||
Makes sense.
> diff --git a/sha1_name.c b/sha1_name.c
> index be8489e..bd0bce6 100644
> --- a/sha1_name.c
> +++ b/sha1_name.c
> @@ -396,6 +396,8 @@ static int get_parent(const char *name, int len,
> p = commit->parents;
> while (p) {
> if (!--idx) {
> + if (!p->item)
> + return -1;
See above.
> @@ -417,6 +419,8 @@ static int get_nth_ancestor(const char *name, int len,
>
> if (!commit || parse_commit(commit) || !commit->parents)
> return -1;
> + if (!commit->parents->item)
> + return -1;
See above.
> @@ -494,6 +498,8 @@ static int peel_onion(const char *name, int len, unsigned char *sha1)
> return error("%.*s: expected %s type, but the object dereferences to %s type",
> len, name, typename(expected_type),
> typename(o->type));
> + if (!o)
> + return -1;
You probably want to guard for ((tag *)o)->tagged == NULL; Okay, now I am
curious. *megoesandlooks* Indeed, if the tag refers to an unknown type,
tagged = NULL.
But I think in that case, it should return an error(). And maybe only for
type == OBJ_TAG.
> @@ -580,6 +586,8 @@ static int handle_one_ref(const char *path,
> return 0;
> if (object->type == OBJ_TAG)
> object = deref_tag(object, path, strlen(path));
> + if (!object)
> + return 0;
As above, it looks strange to see that object->something is checked, and
_then_ object. I'd put this into curly brackets, together with the
deref_tag(), just to help the reader a bit, should she be as weak in mind
as yours truly.
> @@ -617,7 +625,8 @@ static int get_sha1_oneline(const char *prefix, unsigned char *sha1)
> unsigned long size;
>
> commit = pop_most_recent_commit(&list, ONELINE_SEEN);
> - parse_object(commit->object.sha1);
> + if(!parse_object(commit->object.sha1))
> + continue;
Makes sense, but please add a space after the "if".
> diff --git a/tag.c b/tag.c
> index 38bf913..990134f 100644
> --- a/tag.c
> +++ b/tag.c
> @@ -9,7 +9,10 @@ const char *tag_type = "tag";
> struct object *deref_tag(struct object *o, const char *warn, int warnlen)
> {
> while (o && o->type == OBJ_TAG)
> - o = parse_object(((struct tag *)o)->tagged->sha1);
> + if (((struct tag *)o)->tagged)
> + o = parse_object(((struct tag *)o)->tagged->sha1);
> + else
> + o = NULL;
Knowing that tagged _can_ be NULL, this makes tons of sense. Except that
again, I'd call error() to tell the user, before setting o = NULL.
Ciao,
Dscho
[*1*] There might be a few people arguing that defensive programming is
never wrong.
Alas, I saw my share of defensive programming, and more often than not,
the real bugs were hard to find in between all those checks. And some
checks were actively wrong -- again hard to see...
Remember: You can make code so simple that there are obviously no bugs.
And the other way is to make it so complicated that there are no obvious
bugs.
-
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
