[0/10] some zlib inflating bug fixes

Message ID	20250225062518.GA1293854@coredump.intra.peff.net (mailing list archive)
Headers	show Received: from cloud.peff.net (cloud.peff.net [104.130.231.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5A9DC256C77 for <git@vger.kernel.org>; Tue, 25 Feb 2025 06:25:20 +0000 (UTC) Date: Tue, 25 Feb 2025 01:25:18 -0500 From: Jeff King <peff@peff.net> To: git@vger.kernel.org Cc: Taylor Blau <me@ttaylorr.com> Subject: [PATCH 0/10] some zlib inflating bug fixes Message-ID: <20250225062518.GA1293854@coredump.intra.peff.net> Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline
Series	some zlib inflating bug fixes \| expand [0/10] some zlib inflating bug fixes [01/10] loose_object_info(): BUG() on inflating content with unknown type [02/10] unpack_loose_header(): simplify next_out assignment [03/10] unpack_loose_header(): report headers without NUL as "bad" [04/10] unpack_loose_header(): fix infinite loop on broken zlib input [05/10] git_inflate(): skip zlib_post_call() sanity check on Z_NEED_DICT [06/10] unpack_loose_header(): avoid numeric comparison of zlib status [07/10] unpack_loose_rest(): avoid numeric comparison of zlib status [08/10] unpack_loose_rest(): never clean up zstream [09/10] unpack_loose_rest(): simplify error handling [10/10] unpack_loose_rest(): rewrite return handling for clarity

Message ID

20250225062518.GA1293854@coredump.intra.peff.net (mailing list archive)

Headers

Date: Tue, 25 Feb 2025 01:25:18 -0500
From: Jeff King <peff@peff.net>
To: git@vger.kernel.org
Cc: Taylor Blau <me@ttaylorr.com>
Subject: [PATCH 0/10] some zlib inflating bug fixes
Message-ID: <20250225062518.GA1293854@coredump.intra.peff.net>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline

Series

some zlib inflating bug fixes | expand

Message

Jeff King Feb. 25, 2025, 6:25 a.m. UTC

Here are a few bug fixes related to zlib-inflating objects. One is an
infinite loop, but triggering it requires writing to the local repo
along with running some seldom-used commands, so I think is not a
security risk.  The other can be triggered by sending a specially
crafted pack, but it triggers a BUG(), so you'd only be crashing out
your own push.

The fixes themselves are in patches 4 and 5. The rest are related
cleanups or clarifications in nearby code.

  [01/10]: loose_object_info(): BUG() on inflating content with unknown type
  [02/10]: unpack_loose_header(): simplify next_out assignment
  [03/10]: unpack_loose_header(): report headers without NUL as "bad"
  [04/10]: unpack_loose_header(): fix infinite loop on broken zlib input
  [05/10]: git_inflate(): skip zlib_post_call() sanity check on Z_NEED_DICT
  [06/10]: unpack_loose_header(): avoid numeric comparison of zlib status
  [07/10]: unpack_loose_rest(): avoid numeric comparison of zlib status
  [08/10]: unpack_loose_rest(): never clean up zstream
  [09/10]: unpack_loose_rest(): simplify error handling
  [10/10]: unpack_loose_rest(): rewrite return handling for clarity

 git-zlib.c          | 27 +++++++++++++----------
 object-file.c       | 48 ++++++++++++++++++++--------------------
 t/t1006-cat-file.sh | 53 +++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 92 insertions(+), 36 deletions(-)

-Peff