From patchwork Wed Nov 9 14:16:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Phillip Wood X-Patchwork-Id: 13037576 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 44F08C433FE for ; Wed, 9 Nov 2022 14:16:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230419AbiKIOQi (ORCPT ); Wed, 9 Nov 2022 09:16:38 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56368 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230407AbiKIOQg (ORCPT ); Wed, 9 Nov 2022 09:16:36 -0500 Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 19596C18 for ; Wed, 9 Nov 2022 06:16:35 -0800 (PST) Received: by mail-wr1-x436.google.com with SMTP id z14so25969325wrn.7 for ; Wed, 09 Nov 2022 06:16:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:fcc:content-transfer-encoding:mime-version:subject:date:from :references:in-reply-to:message-id:from:to:cc:subject:date :message-id:reply-to; bh=7Ar2ius42hMnj0wa8u3LL7berpF/Wo7TyfRAAaZ+ODs=; b=G6CiZgtutSfhcHXnIJwTtUAPgDVZ77yEisAVDDAb0nZ9sruAgJfqQ06to8cmSPtEdz Cbfz1v15wx6NKJTbSeN/txdr8IIH+fsSiWnWfJEo8pE/zf2WpkQJ+aJ4hWs1T7d9QTd9 bSslBO4XY7L9GtvxiMG4gvSRSATeL+9ZpuxL6BGXsXS8kRDa67WXs57VCDEYdSrdK2Ov 2PElQGd/byjBVoKMtyvqf7DJoBGyNMG/NxJtFVT7SpzWSlOGyDjUoxYSgAnt8WnRcLcs stVkn174t3U3BcZTmWr6+9X8wsciFFMdx2/7RC73Fe0zaJbgwj/QkbVXIvfbAYJivS0u ERtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:fcc:content-transfer-encoding:mime-version:subject:date:from :references:in-reply-to:message-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7Ar2ius42hMnj0wa8u3LL7berpF/Wo7TyfRAAaZ+ODs=; b=5sC2Miq4DQ8iARLhz1z0dzBJRIthmNqrjj7D2K9H9oatYBHoqz2Te5gKQhUCShwBzX rNwvLi7SvY/dAxpp6qhrAru7+RCkSPmtDEC2BI97/wODLkjeRvjjnYoBCvpMR13dW4iO N7ulsdcCZfSKvjNOFmRcbbeyu2kUC++gr7B5xr7dICrsow4uZO1S8qAotHMTZmcRYE/K K2lnLBh2tNOsPp2QA1Vlvosdwln4QtcRWuS9hNxdslf54kaN2sIdNcfAytkOtMweZqrg cc+Yv0889EakMYuiJ8SHES4oYOUc9qDM8bocMtNktp0joHpNrPjOouicm6uJ9pkBK9/V el4Q== X-Gm-Message-State: ACrzQf0BfrqFU+G3p8CDpQsU0XDL7iYgXju75AjsssyOXjBQl+6IUE9L 414Og3bkusbv/5ytCawVPLf9yeMOiWY= X-Google-Smtp-Source: AMsMyM7FSUNNVrFLWKou6Jw22aPESS8Tvq/05Tdvj9nc8NMPxRYFRA48L74W9xdW50JQrCJG6oyBlQ== X-Received: by 2002:adf:e609:0:b0:235:f4e6:c7c1 with SMTP id p9-20020adfe609000000b00235f4e6c7c1mr39211847wrm.217.1668003393370; Wed, 09 Nov 2022 06:16:33 -0800 (PST) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id 26-20020a05600c029a00b003cf5ec79bf9sm1818034wmk.40.2022.11.09.06.16.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Nov 2022 06:16:32 -0800 (PST) Message-Id: In-Reply-To: References: Date: Wed, 09 Nov 2022 14:16:26 +0000 Subject: [PATCH v2 1/3] git_parse_unsigned: reject negative values MIME-Version: 1.0 Fcc: Sent To: git@vger.kernel.org Cc: =?utf-8?b?UmVuw6k=?= Scharfe , Jeff King , Phillip Wood , Phillip Wood Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Phillip Wood From: Phillip Wood git_parse_unsigned() relies on strtoumax() which unfortunately parses negative values as large positive integers. Fix this by rejecting any string that contains '-' as we do in strtoul_ui(). I've chosen to treat negative numbers as invalid input and set errno to EINVAL rather than ERANGE one the basis that they are never acceptable if we're looking for a unsigned integer. This is also consistent with the existing behavior of rejecting "1–2" with EINVAL. As we do not have unit tests for this function it is tested indirectly by checking that negative values of reject for core.bigFileThreshold are rejected. As this function is also used by OPT_MAGNITUDE() a test is added to check that rejects negative values too. Helped-by: Jeff King Signed-off-by: Phillip Wood --- config.c | 5 +++++ t/t0040-parse-options.sh | 5 +++++ t/t1050-large.sh | 6 ++++++ 3 files changed, 16 insertions(+) diff --git a/config.c b/config.c index cbb5a3bab74..d5069d4f01d 100644 --- a/config.c +++ b/config.c @@ -1193,6 +1193,11 @@ static int git_parse_unsigned(const char *value, uintmax_t *ret, uintmax_t max) uintmax_t val; uintmax_t factor; + /* negative values would be accepted by strtoumax */ + if (strchr(value, '-')) { + errno = EINVAL; + return 0; + } errno = 0; val = strtoumax(value, &end, 0); if (errno == ERANGE) diff --git a/t/t0040-parse-options.sh b/t/t0040-parse-options.sh index 5cc62306e39..64d2327b744 100755 --- a/t/t0040-parse-options.sh +++ b/t/t0040-parse-options.sh @@ -709,4 +709,9 @@ test_expect_success 'subcommands are incompatible with KEEP_DASHDASH unless in c grep ^BUG err ' +test_expect_success 'negative magnitude' ' + test_must_fail test-tool parse-options --magnitude -1 >out 2>err && + grep "non-negative integer" err && + test_must_be_empty out +' test_done diff --git a/t/t1050-large.sh b/t/t1050-large.sh index 4f3aa17c994..c71932b0242 100755 --- a/t/t1050-large.sh +++ b/t/t1050-large.sh @@ -5,6 +5,12 @@ test_description='adding and checking out large blobs' . ./test-lib.sh +test_expect_success 'core.bigFileThreshold must be non-negative' ' + test_must_fail git -c core.bigFileThreshold=-1 rev-parse >out 2>err && + grep "bad numeric config value" err && + test_must_be_empty out +' + test_expect_success setup ' # clone does not allow us to pass core.bigfilethreshold to # new repos, so set core.bigfilethreshold globally From patchwork Wed Nov 9 14:16:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phillip Wood X-Patchwork-Id: 13037577 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 545DEC433FE for ; Wed, 9 Nov 2022 14:16:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230479AbiKIOQl (ORCPT ); Wed, 9 Nov 2022 09:16:41 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56382 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230409AbiKIOQh (ORCPT ); Wed, 9 Nov 2022 09:16:37 -0500 Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BBD08E40 for ; Wed, 9 Nov 2022 06:16:36 -0800 (PST) Received: by mail-wm1-x333.google.com with SMTP id j5-20020a05600c410500b003cfa9c0ea76so1380909wmi.3 for ; Wed, 09 Nov 2022 06:16:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:from:to:cc:subject:date :message-id:reply-to; bh=HMY8HwqLJIIeN11FUNh4BDlOGzzJhZ/3s+55OUgcM68=; b=LOmHZTh2nk1fwxWLPgaNB6qVuHyjGrjHNNO6U9M/qsiaqRBZK9CKHZmOzuWOlsNevJ Mi3xAQnD4r5cbmdYwt+R5U9jVwvEE/djnlvM8z6klTqUOBE/6OTysWPinJr9NYnPfMUb kUlerGiXAZCB5+2MR5TCSQxVUBHQ9bzJERud54J9QX8IBmdO3RUHxQD8PHri8KCsV0XI ORUatmyFwRIRGjc/xld1rc6rbuTNIi1+bro//ZVqqIkSN72kZ3WAYrwFheLnT1fu7QLT oQv8goSoS+XnLmBbN9QhI0fyG69D5xFbSK4I8488CdnRn/v2wRllg7xtMchc4MapBshO lmwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HMY8HwqLJIIeN11FUNh4BDlOGzzJhZ/3s+55OUgcM68=; b=HLlQQ+BE4PzoZqEZfsRTvv8uWaeHvD8WolUMfamCWm29A7k3hXoRajltItBghF82/p vdi+7vj4AcI3ati6RoqRgRe0eRRMP6UPehrkLDCfQWyKSdbRKyqNXhkHko35Qw0mEzw/ rzYgA60uzDUBJg7x0i2YgkoPXxeRWvp/PL2DQicINJDvhgg8Tz5VwjA4AZ62D/ZqfvoR ecnzEbcDWZsT1MrVUm/EYUrBkU1aztO+YrfY1AXoC1Le9kt5IFBYoZnCNs5g6JmTcaw/ M7ZNX4e9RC7kIEKpCjR5XGSMi9zgfmF5i0lqc6jlRFQloLdR0jJNGP7Jmwg6SS6oWQ/d ogaw== X-Gm-Message-State: ANoB5pnwzD7ZbPmIhYsW1TfzZepC9nW/j6Yns99OpgSt8gybpkZCF1fq X5Zhu/EuXVr/wwmUNmUo2hHjfvBOtUs= X-Google-Smtp-Source: AA0mqf4zZ7G9Pq5/ZIuvEipr+5y1PDwbelmIDy0LfCMLjexvbMhh+Wztq9tvrF2jKVt3oUkgRy30wA== X-Received: by 2002:a05:600c:4fd3:b0:3cf:a464:e881 with SMTP id o19-20020a05600c4fd300b003cfa464e881mr13294538wmq.54.1668003395116; Wed, 09 Nov 2022 06:16:35 -0800 (PST) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id p5-20020a05600c358500b003c6b9749505sm2008294wmq.30.2022.11.09.06.16.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Nov 2022 06:16:34 -0800 (PST) Message-Id: <54f2ebefa0d8308dc00f6dd035c1baae4a8e1fc7.1668003388.git.gitgitgadget@gmail.com> In-Reply-To: References: Date: Wed, 09 Nov 2022 14:16:27 +0000 Subject: [PATCH v2 2/3] config: require at least one digit when parsing numbers Fcc: Sent MIME-Version: 1.0 To: git@vger.kernel.org Cc: =?utf-8?b?UmVuw6k=?= Scharfe , Jeff King , Phillip Wood , Phillip Wood Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Phillip Wood From: Phillip Wood If the input to strtoimax() or strtoumax() does not contain any digits then they return zero and set `end` to point to the start of the input string. git_parse_[un]signed() do not check `end` and so fail to return an error and instead return a value of zero if the input string is a valid units factor without any digits (e.g "k"). Tests are added to check that 'git config --int' and OPT_MAGNITUDE() reject a units specifier without a leading digit. Helped-by: Jeff King Signed-off-by: Phillip Wood --- config.c | 8 ++++++++ t/t0040-parse-options.sh | 7 +++++++ t/t1300-config.sh | 6 ++++++ 3 files changed, 21 insertions(+) diff --git a/config.c b/config.c index d5069d4f01d..b7fb68026d8 100644 --- a/config.c +++ b/config.c @@ -1167,6 +1167,10 @@ static int git_parse_signed(const char *value, intmax_t *ret, intmax_t max) val = strtoimax(value, &end, 0); if (errno == ERANGE) return 0; + if (end == value) { + errno = EINVAL; + return 0; + } factor = get_unit_factor(end); if (!factor) { errno = EINVAL; @@ -1202,6 +1206,10 @@ static int git_parse_unsigned(const char *value, uintmax_t *ret, uintmax_t max) val = strtoumax(value, &end, 0); if (errno == ERANGE) return 0; + if (end == value) { + errno = EINVAL; + return 0; + } factor = get_unit_factor(end); if (!factor) { errno = EINVAL; diff --git a/t/t0040-parse-options.sh b/t/t0040-parse-options.sh index 64d2327b744..7d7ecfd5716 100755 --- a/t/t0040-parse-options.sh +++ b/t/t0040-parse-options.sh @@ -714,4 +714,11 @@ test_expect_success 'negative magnitude' ' grep "non-negative integer" err && test_must_be_empty out ' + +test_expect_success 'magnitude with units but no numbers' ' + test_must_fail test-tool parse-options --magnitude m >out 2>err && + grep "non-negative integer" err && + test_must_be_empty out +' + test_done diff --git a/t/t1300-config.sh b/t/t1300-config.sh index c6661e61af5..2575279ab84 100755 --- a/t/t1300-config.sh +++ b/t/t1300-config.sh @@ -2228,6 +2228,12 @@ test_expect_success '--type rejects unknown specifiers' ' test_i18ngrep "unrecognized --type argument" error ' +test_expect_success '--type=int requires at least one digit' ' + test_must_fail git config --type int --default m some.key >out 2>error && + grep "bad numeric config value" error && + test_must_be_empty out +' + test_expect_success '--replace-all does not invent newlines' ' q_to_tab >.git/config <<-\EOF && [abc]key From patchwork Wed Nov 9 14:16:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phillip Wood X-Patchwork-Id: 13037578 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9ED76C4332F for ; Wed, 9 Nov 2022 14:16:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230409AbiKIOQo (ORCPT ); Wed, 9 Nov 2022 09:16:44 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56394 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230407AbiKIOQj (ORCPT ); Wed, 9 Nov 2022 09:16:39 -0500 Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com [IPv6:2a00:1450:4864:20::432]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1F98ADE96 for ; Wed, 9 Nov 2022 06:16:38 -0800 (PST) Received: by mail-wr1-x432.google.com with SMTP id a14so25972525wru.5 for ; Wed, 09 Nov 2022 06:16:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:from:to:cc:subject:date :message-id:reply-to; bh=y96WTLTQB8sPyIOHRLNnyiH0HgZNjZ9qEdCSi4fIzj8=; b=mgd/0xkcGlXUobGJcJq0W+a47np7I2EYPh2/RoWn+b9xP4S1ngb8Y8DB7FegwG3o+L 4cM3sN4wp5lR2Sui32dZBSxGlSh+2/d9LT85q80yThAHBtW4ltNOrprGJpsBILghLgsO 7SF6rxMWMYpuXCnav8Dk4kEi2/1BJYMlloWX8ZFMRwVqpav9MzwW107qYtaUyt3A+Hq8 Cuxw2tQXvtfUCJDzbxupoA7cjIwHi06Tcd2F7hNa6BV195LHBkuAOTtiEbHqLGDf5tN5 YVD24TLBpcMz08LBov6J0Tq7fu8r9Ia3w60ATV05SD1+A2k44ZPSjSOK0Q3if2IDS5GT rCLg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=y96WTLTQB8sPyIOHRLNnyiH0HgZNjZ9qEdCSi4fIzj8=; b=8Rualdtm6G9d9X5/K9fQl489lKaZCZgdr17h2QQ37ZPcA5yjvE1RHWaADRxbIpsw5m 2A9pdShKDyunS8LBCyaGxpS4d9nFE4SVmrr8HQsN56Vd3etnSiKnGBG2CXH2MhKuDZZw f+n7xkZeXsCEygPBrXrEcPwdbVHOSIU0Xp2vW8ZzS4Eh4w5O+VNGnUylLcTlXujEv6/Z u/hfj4fEQ957H4hcw0vuXw5SiZzOSKRwbYfDqYLAT5GiHmOHE59tX+xywtNd+FNDlyC/ h8lUVmHH5h+Uzkq5IQww0q/fkCkCPuvwkTzRkn7GVuToHHtksZZIwjEK4eSoZEm3zbu2 TR2Q== X-Gm-Message-State: ACrzQf0NV2WbOHhzkXXd5kFvqE4niJNjBAq4dQX002rOQi2KY7dtUy4p UVUP3jfTyCCfMVUQtbuiGQaSlqUas/A= X-Google-Smtp-Source: AMsMyM6b3eZG/7bufpcAwIF1t31fDl2vqIuOLSE9M0F4/AjS1jMN+K3bRDKC24D57MOs9RcTxWBvBQ== X-Received: by 2002:a5d:6d42:0:b0:236:c9a6:5523 with SMTP id k2-20020a5d6d42000000b00236c9a65523mr32990006wri.222.1668003396348; Wed, 09 Nov 2022 06:16:36 -0800 (PST) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id l18-20020a05600c1d1200b003b95ed78275sm2005906wms.20.2022.11.09.06.16.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Nov 2022 06:16:35 -0800 (PST) Message-Id: <673e6f1ab93200ab3b6b9ca2bded5db5a3274329.1668003388.git.gitgitgadget@gmail.com> In-Reply-To: References: Date: Wed, 09 Nov 2022 14:16:28 +0000 Subject: [PATCH v2 3/3] git_parse_signed(): avoid integer overflow Fcc: Sent MIME-Version: 1.0 To: git@vger.kernel.org Cc: =?utf-8?b?UmVuw6k=?= Scharfe , Jeff King , Phillip Wood , Phillip Wood Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Phillip Wood From: Phillip Wood git_parse_signed() checks that the absolute value of the parsed string is less than or equal to a caller supplied maximum value. When calculating the absolute value there is a integer overflow if `val == INTMAX_MIN`. To fix this avoid negating `val` when it is negative by having separate overflow checks for positive and negative values. An alternative would be to special case INTMAX_MIN before negating `val` as it is always out of range. That would enable us to keep the existing code but I'm not sure that the current two-stage check is any clearer than the new version. Signed-off-by: Phillip Wood --- config.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/config.c b/config.c index b7fb68026d8..aad3e00341d 100644 --- a/config.c +++ b/config.c @@ -1160,8 +1160,10 @@ static int git_parse_signed(const char *value, intmax_t *ret, intmax_t max) if (value && *value) { char *end; intmax_t val; - uintmax_t uval; - uintmax_t factor; + intmax_t factor; + + if (max < 0) + BUG("max must be a positive integer"); errno = 0; val = strtoimax(value, &end, 0); @@ -1176,9 +1178,8 @@ static int git_parse_signed(const char *value, intmax_t *ret, intmax_t max) errno = EINVAL; return 0; } - uval = val < 0 ? -val : val; - if (unsigned_mult_overflows(factor, uval) || - factor * uval > max) { + if ((val < 0 && -max / factor > val) || + (val > 0 && max / factor < val)) { errno = ERANGE; return 0; }