diff options
| author | Jeff King <peff@peff.net> | 2019-10-18 00:43:29 -0400 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2019-10-21 11:15:23 +0900 |
| commit | 12736d2f027c72d4c900f10ae064d2a673344c9e (patch) | |
| tree | 970ede9e341055be5d8cf7e6623c9d3146152668 /commit-graph.c | |
| parent | parse_commit_buffer(): treat lookup_commit() failure as parse error (diff) | |
| download | git-12736d2f027c72d4c900f10ae064d2a673344c9e.tar.gz git-12736d2f027c72d4c900f10ae064d2a673344c9e.zip | |
parse_commit_buffer(): treat lookup_tree() failure as parse error
If parsing a commit yields a valid tree oid, but we've seen that same
oid as a non-tree in the same process, the resulting commit struct will
end up with a NULL tree pointer, but not otherwise report a parsing
failure.
That's perhaps convenient for callers which want to operate on even
partially corrupt commits (e.g., by still looking at the parents). But
it leaves a potential trap for most callers, who now have to manually
check for a NULL tree. Most do not, and it's likely that there are
possible segfaults lurking. I say "possible" because there are many
candidates, and I don't think it's worth following through on
reproducing them when we can just fix them all in one spot. And
certainly we _have_ seen real-world cases, such as the one fixed by
806278dead (commit-graph.c: handle corrupt/missing trees, 2019-09-05).
Note that we can't quite drop the check in the caller added by that
commit yet, as there's some subtlety with repeated parsings (which will
be addressed in a future commit).
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'commit-graph.c')
0 files changed, 0 insertions, 0 deletions