From patchwork Sat Aug 24 23:09:44 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Stefan Sperling <stsp@stsp.name>
X-Patchwork-Id: 11113169
Return-Path: <SRS0=0IWm=WU=vger.kernel.org=git-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DB6FB14DB
	for <patchwork-git@patchwork.kernel.org>;
 Sat, 24 Aug 2019 23:18:14 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 8349920673
	for <patchwork-git@patchwork.kernel.org>;
 Sat, 24 Aug 2019 23:18:14 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728177AbfHXXSN (ORCPT
        <rfc822;patchwork-git@patchwork.kernel.org>);
        Sat, 24 Aug 2019 19:18:13 -0400
Received: from einhorn-mail.in-berlin.de ([217.197.80.20]:49897 "EHLO
        einhorn-mail.in-berlin.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727708AbfHXXSM (ORCPT <rfc822;git@vger.kernel.org>);
        Sat, 24 Aug 2019 19:18:12 -0400
X-Greylist: delayed 493 seconds by postgrey-1.27 at vger.kernel.org;
 Sat, 24 Aug 2019 19:18:02 EDT
X-Envelope-From: stsp@stsp.name
Received: from authenticated.user (localhost [127.0.0.1]) by
 einhorn.in-berlin.de  with ESMTPSA id x7ON9j0v029547
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
 verify=NOT)
        for <git@vger.kernel.org>; Sun, 25 Aug 2019 01:09:46 +0200
Received: from localhost (jessup.stsp.name [local])
        by jessup.stsp.name (OpenSMTPD) with ESMTPA id cb7a78b1
        for <git@vger.kernel.org>;
        Sun, 25 Aug 2019 01:09:44 +0200 (CEST)
Date: Sun, 25 Aug 2019 01:09:44 +0200
From: Stefan Sperling <stsp@stsp.name>
To: git@vger.kernel.org
Subject: [PATCH] fix segv with corrupt tag object
Message-ID: <20190824230944.GA14132@jessup.stsp.name>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.12.1 (2019-06-15)
Sender: git-owner@vger.kernel.org
Precedence: bulk
List-ID: <git.vger.kernel.org>
X-Mailing-List: git@vger.kernel.org

A tag object which lacks newlines won't be parsed correctly.
Git fails to detect this error and crashes due to a NULL deref:

$ git archive 1.0.0
Segmentation fault (core dumped)
$ git checkout 1.0.0
Segmentation fault (core dumped)
$

See the attached tarball for a reproduction repository.
Also mirrored at https://stsp.name/git-checkout-tag-segv-repo.tgz

With the patch below:

$ git checkout 1.0.0
fatal: reference is not a tree: 1.0.0
$ git archive 1.0.0
fatal: not a tree object: a99665eea5ee50171b5b7249880aa2ae35e35823
$
Signed-off-by: Stefan Sperling <stsp@stsp.name>
Signed-off-by: René Scharfe <l.s.r@web.de>

diff --git a/tree.c b/tree.c
index 4720945e6a..92d8bd57a3 100644
--- a/tree.c
+++ b/tree.c
@@ -252,9 +252,11 @@ struct tree *parse_tree_indirect(const struct object_id *oid)
 			return (struct tree *) obj;
 		else if (obj->type == OBJ_COMMIT)
 			obj = &(get_commit_tree(((struct commit *)obj))->object);
-		else if (obj->type == OBJ_TAG)
+		else if (obj->type == OBJ_TAG) {
 			obj = ((struct tag *) obj)->tagged;
-		else
+			if (!obj)
+				return NULL;
+		} else
 			return NULL;
 		if (!obj->parsed)
 			parse_object(the_repository, &obj->oid);