Diffs can be indented by a variable number of spaces, tabs, or X characters.
Make sure that intuit_diff_type() only accepts context diffs where the first
and second line are indented identically, or else another_hunk() will fail.
* src/pch.c (intuit_diff_type): Remember the indentation of the last line. Only
recognize context diff hunks with the same amount of indentation on the first
and second line.
* tests/garbage: New test case.
* tests/Makefile.am (TESTS): Add test case.
Since the code is identical when just checking if a utility is present on
the system or not, we can factorize it.
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Use the symlink-safe replacements for system calls in many places throughout
the code: In some places this makes patch safe against path traversal attacks;
in other places, it saves the kernel from having to re-traverse the pathnames.
* src/inp.c (plan_b): Use safe_open() + fdopen() instead of fopen().
* src/util.c (copy_attr): Document why we are safe here.
(create_backup): Use safe_open() instead of creat().
Add wrappers around system calls that traverse relative pathnames without
following symlinks. Written by Tim Waugh <twaugh@redhat.com> and Andreas
Gruenbacher <agruenba@redhat.com>.
* src/safe.h: Declare functions here.
* src/safe.c: Implement safe_* system call replacements that do not follow
symlinks along pathnames. Pathname components are resolved with openat().
Lookup results are cached to keep the overhead reasonably low.
* tests/deep-directories: New path traversal cache test.
* src/Makefile.am (patch_SOURCES): Add safe.[ch].
* tests/Makefile.am (TESTS): Add new test.
* src/util.c (filename_is_safe): New function split off from name_is_valid().
(symlink_target_is_valid): Explain why we cannot have absolute symlinks or
symlinks with ".." components for now.
(move_file): Move absolute filename check here and explain.
* tests/symlinks: Put test case with ".." symlink in comments for now.
* NEWS: Add CVE number.
* src/patch.c (main): Allow there_is_another_patch() to set the
skip_rest_of_patch flag.
* src/pch.c (intuit_diff_type): For renames and copies, also check the "other"
file name.
(pch_copy, pch_rename): Now that both names are checked in intuit_diff_type(),
we know they are defined here.
src/pch.c (another_hunk): Call set_hunkmax() from here to make sure it is
called even when falling back from plan A to plan B.
(open_patch_file): No need to call set_hunkmax() anymore.
src/pch.c (set_hunkmax): Fail when out of memory. Make static.
src/pch.h: Remove set_hunkmax() prototype.
* src/patch.c (locate_hunk): Start trying to apply the hunk at the minimum
offset which puts the hunk in the valid range of lines. This will often still
be offset 0.
When creating symlinks from git-style patches, make sure the symlinks don't
point above the current working directory. Otherwise, a subsequent patch could
use the symlink to write outside the working directory.
* src/pch.c (symlink_target_is_valid): New function to check for valid symlink
targets.
* src/util.c (move_file): Use symlink_target_is_valid() here.
* tests/symlinks: Add valid and invalid symlink test cases.
* bootstrap.conf: use intprops module.
* src/common.h: Define LINENUM_MIN and LINENUM_MAX macros.
* src/pch.c (another_hunk): Add line number overflow checking. Based on Robert
C. Seacord's INT32-C document for integer overflow checking and Tobias
Stoeckmann's "integer overflows and oob memory access" patch for FreeBSD.
* bootstrap.conf: use xmemdup0 module.
* src/pch.c (there_is_another_patch): Use xmemdup0 instead of savebuf when we
cannot recover from out-of-memory situations.
(intuit_diff_type): Likewise, use xstrdup instead of savestr.
(another_hunk): Handle the case when savestr returns NULL.
* src/util.c (fetchname, parse_name): Use xmemdup0 instead of savebuf when we
cannot recover from out-of-memory situations.
Bugs pointed out by Tobias Stoeckmann <tobias@stoeckmann.org>.
* src/patch.c (get_some_switches): The function savebuf (and therefore savestr)
copies strings using malloc. If malloc fails, NULL is returned. This is
intentional behavior so that in case of failure during "plan a" patching, "plan
b" can step in. The return value has to be properly checked for NULL. If the
return value must not be NULL, use xstrdup instead.
* src/merge.c (compute_changes): The TOO_EXPENSIVE heuristic in diffseq has
been removed, including compareseq's find_minimal parameter and the context's
too_expensive limit. Adjust.
There is a hard to reach but possible buffer overflow when using
patch with a very large (modified) input file. I doubt you will ever
see this with a 64 bit system, but it's possible with 32 bit:
$ echo hello > file1
$ echo world > file2
$ diff -Nau file1 file2 > file.diff
Nothing fancy so far. Adjust file1 so it contains at least one line that
is 2 GB in size. Larger is fine too, but stay below 4 GB.
$ tr '\0' c < /dev/zero | dd bs=1K count=2097152 of=file1
Now try to patch it.
$ patch -Np0 -i file.diff
Segmentation fault
The issue is in patch's "plan b" strategy (If your system would still
want to use "plan a", force patch to use "plan b" through debug flag).
Plan b writes lines into a temporary file, with equally long lines, so
it can use a buffer mechanism to access them in a kind of randomly
fassion. In order to do that, it retrieves the longest line.
In this example, it will encounter the 2 GB line and stores that as the
longest one. Afterwards it will adjust the tibufsize variable to be
large enough:
for (tibufsize = TIBUFSIZE_MINIMUM; tibufsize < maxlen; tibufsize <<= 1)
/* do nothing */ ;
Due to maxlen's size (2 GB), tibufsize will be SIZE_T_MAX, i.e. 4 GB.
A few lines later it allocates space for the tibuf buffers:
tibuf[0] = xmalloc (2 * tibufsize);
tibuf[1] = tibuf[0] + tibufsize;
This will allocate 0 bytes because tibufsize overflowed. The next
time patch writes into the buffer, a segmentation fault will occur...
Depends on your system how long it takes until that happens. ;)
The fix is simple: Bail out on lines that are too long. Patch already
does that for files that have too many lines.
* src/patch.c (main): Preserve function names in reject files.
* tests/reject-format: Update the test case.
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Andreas Gruenbacher <agruen@linbit.com>
* src/util.c (make_tempfile): Do not create temporary files in the final output
directory when in dry-run mode: the path may be read-only. In addition, we do
not want to leave intermediary empty output directories around.
Doing so prevents bootstrapping with bleeding-edge autotools,
because of harmless deprecation warnings (that are not planned
to become hard errors for at least a few years to come). And
unfortunately, options in AM_INIT_AUTOMAKE take precedence over
those given on the command line (this is a long-time wart of
automake).
* configure.ac (AM_INIT_AUTOMAKE): Drop '-Werror' option.
Copyright-paperwork-exempt: yes
Signed-off-by: Stefano Lattarini <stefano.lattarini@gmail.com>
Reported by Thomas Moschny <thomas.moschny@gmx.de>:
src/patch.c (main): Temporary output files are created in the same directory as
the output file. Make sure to remove them before removing empty files and
their empty ancestor directories; else the directories won't be empty.
tests/remove-directories: Add directory removal test case.
tests/Makefile.am (TESTS): Add new test case.
* src/patch.c (main): Initialize data structures early enough, before error
paths can access them.
* tests/bad-usage: Test bad command line usage.
* tests/Makefile.am (TESTS): Add bad-usage here.
* src/patch.c: Only print the "file is not empty after patch" message when
trying to delete the output file. Say that we were trying to delete the file.
* tests/create-delete: Fix the expected messages. Add test cases for the
--remove-empty-files and --posix options.
* NEWS: Better describe this change.
Test cases based on patches from Dmitry V. Levin <ldv@altlinux.org>.
* src/patch.c (main): Only expect files to become empty if the patch says so.
* NEWS: Document this change.
* tests/create-delete: Add (more) empty vs. non-empty test cases.
* src/patch.c (main): Say that we are checking a file and not that we are
patching it in --dry-run mode. Don't say "saving rejects to file" when we
don't create reject files.
* tests/reject-format: Add rejects with --dry-run test case.
* tests/bad-filenames, tests/fifo, tests/mixed-patch-types: Update.
* src/patch.c (check_line_endings): New function.
(main): When a hunk fails, report when the line endings differ between the
input file and the patch.
* src/pch.c (there_is_another_patch): When saying that we strip trailing CRs,
also say how to turn this off.
* tests/crlf-handling: Update changed messages. Add test case that fails.
* src/common.h (follow_symlinks): New variable.
* src/patch.c (longopts): Add new --follow-symlinks option.
(get_some_switches): Recognize the new option.
* src/util.c (stat_file): Follow symlinks if requested.
* patch.man: Document the new option.
* tests/symlinks: Add test case.
