|
|
|
/*
|
|
|
|
* patch-delta.c:
|
|
|
|
* recreate a buffer from a source and the delta produced by diff-delta.c
|
|
|
|
*
|
|
|
|
* (C) 2005 Nicolas Pitre <nico@cam.org>
|
|
|
|
*
|
|
|
|
* This code is free software; you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
|
|
* published by the Free Software Foundation.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "git-compat-util.h"
|
|
|
|
#include "delta.h"
|
|
|
|
|
|
|
|
void *patch_delta(const void *src_buf, unsigned long src_size,
|
|
|
|
const void *delta_buf, unsigned long delta_size,
|
|
|
|
unsigned long *dst_size)
|
|
|
|
{
|
|
|
|
const unsigned char *data, *top;
|
|
|
|
unsigned char *dst_buf, *out, cmd;
|
|
|
|
unsigned long size;
|
|
|
|
|
|
|
|
if (delta_size < DELTA_SIZE_MIN)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
data = delta_buf;
|
|
|
|
top = (const unsigned char *) delta_buf + delta_size;
|
|
|
|
|
|
|
|
/* make sure the orig file size matches what we expect */
|
|
|
|
size = get_delta_hdr_size(&data, top);
|
|
|
|
if (size != src_size)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
/* now the result size */
|
|
|
|
size = get_delta_hdr_size(&data, top);
|
|
|
|
dst_buf = xmalloc(size + 1);
|
|
|
|
dst_buf[size] = 0;
|
|
|
|
|
|
|
|
out = dst_buf;
|
|
|
|
while (data < top) {
|
|
|
|
cmd = *data++;
|
|
|
|
if (cmd & 0x80) {
|
|
|
|
unsigned long cp_off = 0, cp_size = 0;
|
|
|
|
if (cmd & 0x01) cp_off = *data++;
|
|
|
|
if (cmd & 0x02) cp_off |= (*data++ << 8);
|
|
|
|
if (cmd & 0x04) cp_off |= (*data++ << 16);
|
Fix big left-shifts of unsigned char
Shifting 'unsigned char' or 'unsigned short' left can result in sign
extension errors, since the C integer promotion rules means that the
unsigned char/short will get implicitly promoted to a signed 'int' due to
the shift (or due to other operations).
This normally doesn't matter, but if you shift things up sufficiently, it
will now set the sign bit in 'int', and a subsequent cast to a bigger type
(eg 'long' or 'unsigned long') will now sign-extend the value despite the
original expression being unsigned.
One example of this would be something like
unsigned long size;
unsigned char c;
size += c << 24;
where despite all the variables being unsigned, 'c << 24' ends up being a
signed entity, and will get sign-extended when then doing the addition in
an 'unsigned long' type.
Since git uses 'unsigned char' pointers extensively, we actually have this
bug in a couple of places.
I may have missed some, but this is the result of looking at
git grep '[^0-9 ][ ]*<<[ ][a-z]' -- '*.c' '*.h'
git grep '<<[ ]*24'
which catches at least the common byte cases (shifting variables by a
variable amount, and shifting by 24 bits).
I also grepped for just 'unsigned char' variables in general, and
converted the ones that most obviously ended up getting implicitly cast
immediately anyway (eg hash_name(), encode_85()).
In addition to just avoiding 'unsigned char', this patch also tries to use
a common idiom for the delta header size thing. We had three different
variations on it: "& 0x7fUL" in one place (getting the sign extension
right), and "& ~0x80" and "& 0x7f" in two other places (not getting it
right). Apart from making them all just avoid using "unsigned char" at
all, I also unified them to then use a simple "& 0x7f".
I considered making a sparse extension which warns about doing implicit
casts from unsigned types to signed types, but it gets rather complex very
quickly, so this is just a hack.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
16 years ago
|
|
|
if (cmd & 0x08) cp_off |= ((unsigned) *data++ << 24);
|
|
|
|
if (cmd & 0x10) cp_size = *data++;
|
|
|
|
if (cmd & 0x20) cp_size |= (*data++ << 8);
|
|
|
|
if (cmd & 0x40) cp_size |= (*data++ << 16);
|
|
|
|
if (cp_size == 0) cp_size = 0x10000;
|
|
|
|
if (cp_off + cp_size < cp_size ||
|
|
|
|
cp_off + cp_size > src_size ||
|
|
|
|
cp_size > size)
|
|
|
|
break;
|
|
|
|
memcpy(out, (char *) src_buf + cp_off, cp_size);
|
|
|
|
out += cp_size;
|
|
|
|
size -= cp_size;
|
|
|
|
} else if (cmd) {
|
|
|
|
if (cmd > size)
|
|
|
|
break;
|
|
|
|
memcpy(out, data, cmd);
|
|
|
|
out += cmd;
|
|
|
|
data += cmd;
|
|
|
|
size -= cmd;
|
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* cmd == 0 is reserved for future encoding
|
|
|
|
* extensions. In the mean time we must fail when
|
|
|
|
* encountering them (might be data corruption).
|
|
|
|
*/
|
|
|
|
error("unexpected delta opcode 0");
|
|
|
|
goto bad;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* sanity check */
|
|
|
|
if (data != top || size != 0) {
|
|
|
|
error("delta replay has gone wild");
|
|
|
|
bad:
|
|
|
|
free(dst_buf);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
*dst_size = out - dst_buf;
|
|
|
|
return dst_buf;
|
|
|
|
}
|