Re: [PATCH] sha1_loose_object_info: handle errors from unpack_sha1_rest

[Junio C Hamano <gitster@pobox.com>]

Jeff King <peff@peff.net> writes:

> When a caller of sha1_object_info_extended() sets the
> "contentp" field in object_info, we call unpack_sha1_rest()
> but do not check whether it signaled an error.
>
> This causes two problems:
>
>   1. We pass back NULL to the caller via the contentp field,
>      but the function returns "0" for success. A caller
>      might reasonably expect after a successful return that
>      it can access contentp without a NULL check and
>      segfault.
>
>      As it happens, this is impossible to trigger in the
>      current code. There is exactly one caller which uses
>      contentp, read_object(). And the only thing it does
>      after a successful call is to return the content
>      pointer to its caller, using NULL as a sentinel for
>      errors. So in effect it converts the success code from
>      sha1_object_info_extended() back into an error!
>
>      But this is still worth addressing avoid problems for
>      future users of "contentp".
>
>   2. Callers of unpack_sha1_rest() are expected to close the
>      zlib stream themselves on error. Which means that we're
>      leaking the stream.
>
> The problem in (1) comes from from c84a1f3ed4 (sha1_file:
> refactor read_object, 2017-06-21), which added the contentp
> field.  Before that, we called unpack_sha1_rest() via
> unpack_sha1_file(), which directly used the NULL to signal
> an error.
>
> But note that the leak in (2) is actually older than that.
> The original unpack_sha1_file() directly returned the result
> of unpack_sha1_rest() to its caller, when it should have
> been closing the zlib stream itself on error.
>
> Signed-off-by: Jeff King <peff@peff.net>
> ---

Obviously correct.  (2) is as old as Git itself; it eventually
blames down to e83c5163 ("Initial revision of "git", the information
manager from hell", 2005-04-07), where read-cache.c::unpack_sha1_file()
liberally returns NULL without cleaning up the zstream.

Thanks.

>  sha1_file.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/sha1_file.c b/sha1_file.c
> index 09ad64ce55..10c3a0083d 100644
> --- a/sha1_file.c
> +++ b/sha1_file.c
> @@ -1124,10 +1124,14 @@ static int sha1_loose_object_info(const unsigned char *sha1,
>  	} else if ((status = parse_sha1_header_extended(hdr, oi, flags)) < 0)
>  		status = error("unable to parse %s header", sha1_to_hex(sha1));
>  
> -	if (status >= 0 && oi->contentp)
> +	if (status >= 0 && oi->contentp) {
>  		*oi->contentp = unpack_sha1_rest(&stream, hdr,
>  						 *oi->sizep, sha1);
> -	else
> +		if (!*oi->contentp) {
> +			git_inflate_end(&stream);
> +			status = -1;
> +		}
> +	} else
>  		git_inflate_end(&stream);
>  
>  	munmap(map, mapsize);