From 74d156f4a1b1d563b422127ee347eaa348973a0c Mon Sep 17 00:00:00 2001 From: Phillip Wood Date: Thu, 4 Oct 2018 11:07:41 +0100 Subject: [PATCH 1/5] diff --color-moved-ws: fix double free crash Running git diff --color-moved-ws=allow-indentation-change v2.18.0 v2.19.0 results in a crash due to a double free. This happens when two potential moved blocks start with consecutive lines. As pmb_advance_or_null_multi_match() advances it copies the ws_delta from the last matching line to the next. When the first of our consecutive lines is advanced its ws_delta well be copied to the second, overwriting the ws_delta of the block containing the second line. Then when the second line is advanced it will copy the new ws_delta to the line below it and so on. Eventually one of these blocks will stop matching and the ws_delta will be freed. From then on the other block is in a use-after-free state and when it stops matching it will try to free the ws_delta that has already been freed by the other block. The solution is to store the ws_delta in the array of potential moved blocks rather than with the lines. This means that it no longer needs to be copied around and one block cannot overwrite the ws_delta of another. Additionally it saves some malloc/free calls as we don't keep allocating and freeing ws_deltas. Signed-off-by: Phillip Wood Reviewed-by: Stefan Beller Signed-off-by: Junio C Hamano --- diff.c | 82 ++++++++++++++++++++++++++++++++-------------------------- 1 file changed, 45 insertions(+), 37 deletions(-) diff --git a/diff.c b/diff.c index f0c7557b40..566419dc75 100644 --- a/diff.c +++ b/diff.c @@ -776,7 +776,6 @@ struct moved_entry { struct hashmap_entry ent; const struct emitted_diff_symbol *es; struct moved_entry *next_line; - struct ws_delta *wsd; }; /** @@ -793,6 +792,17 @@ struct ws_delta { }; #define WS_DELTA_INIT { NULL, 0 } +struct moved_block { + struct moved_entry *match; + struct ws_delta wsd; +}; + +static void moved_block_clear(struct moved_block *b) +{ + FREE_AND_NULL(b->wsd.string); + b->match = NULL; +} + static int compute_ws_delta(const struct emitted_diff_symbol *a, const struct emitted_diff_symbol *b, struct ws_delta *out) @@ -810,7 +820,7 @@ static int compute_ws_delta(const struct emitted_diff_symbol *a, static int cmp_in_block_with_wsd(const struct diff_options *o, const struct moved_entry *cur, const struct moved_entry *match, - struct moved_entry *pmb, + struct moved_block *pmb, int n) { struct emitted_diff_symbol *l = &o->emitted_symbols->buf[n]; @@ -830,16 +840,15 @@ static int cmp_in_block_with_wsd(const struct diff_options *o, if (strcmp(a, b)) return 1; - if (!pmb->wsd) + if (!pmb->wsd.string) /* - * No white space delta was carried forward? This can happen - * when we exit early in this function and do not carry - * forward ws. + * The white space delta is not active? This can happen + * when we exit early in this function. */ return 1; /* - * The indent changes of the block are known and carried forward in + * The indent changes of the block are known and stored in * pmb->wsd; however we need to check if the indent changes of the * current line are still the same as before. * @@ -847,8 +856,8 @@ static int cmp_in_block_with_wsd(const struct diff_options *o, * one of them for the white spaces, depending which was longer. */ - wslen = strlen(pmb->wsd->string); - if (pmb->wsd->current_longer) { + wslen = strlen(pmb->wsd.string); + if (pmb->wsd.current_longer) { c += wslen; cl -= wslen; } else { @@ -898,7 +907,6 @@ static struct moved_entry *prepare_entry(struct diff_options *o, ret->ent.hash = xdiff_hash_string(l->line, l->len, flags); ret->es = l; ret->next_line = NULL; - ret->wsd = NULL; return ret; } @@ -938,18 +946,18 @@ static void add_lines_to_move_detection(struct diff_options *o, static void pmb_advance_or_null(struct diff_options *o, struct moved_entry *match, struct hashmap *hm, - struct moved_entry **pmb, + struct moved_block *pmb, int pmb_nr) { int i; for (i = 0; i < pmb_nr; i++) { - struct moved_entry *prev = pmb[i]; + struct moved_entry *prev = pmb[i].match; struct moved_entry *cur = (prev && prev->next_line) ? prev->next_line : NULL; if (cur && !hm->cmpfn(o, cur, match, NULL)) { - pmb[i] = cur; + pmb[i].match = cur; } else { - pmb[i] = NULL; + pmb[i].match = NULL; } } } @@ -957,7 +965,7 @@ static void pmb_advance_or_null(struct diff_options *o, static void pmb_advance_or_null_multi_match(struct diff_options *o, struct moved_entry *match, struct hashmap *hm, - struct moved_entry **pmb, + struct moved_block *pmb, int pmb_nr, int n) { int i; @@ -965,49 +973,45 @@ static void pmb_advance_or_null_multi_match(struct diff_options *o, for (; match; match = hashmap_get_next(hm, match)) { for (i = 0; i < pmb_nr; i++) { - struct moved_entry *prev = pmb[i]; + struct moved_entry *prev = pmb[i].match; struct moved_entry *cur = (prev && prev->next_line) ? prev->next_line : NULL; if (!cur) continue; - if (!cmp_in_block_with_wsd(o, cur, match, pmb[i], n)) + if (!cmp_in_block_with_wsd(o, cur, match, &pmb[i], n)) got_match[i] |= 1; } } for (i = 0; i < pmb_nr; i++) { if (got_match[i]) { - /* Carry the white space delta forward */ - pmb[i]->next_line->wsd = pmb[i]->wsd; - pmb[i] = pmb[i]->next_line; + /* Advance to the next line */ + pmb[i].match = pmb[i].match->next_line; } else { - if (pmb[i]->wsd) { - free(pmb[i]->wsd->string); - FREE_AND_NULL(pmb[i]->wsd); - } - pmb[i] = NULL; + moved_block_clear(&pmb[i]); } } } -static int shrink_potential_moved_blocks(struct moved_entry **pmb, +static int shrink_potential_moved_blocks(struct moved_block *pmb, int pmb_nr) { int lp, rp; /* Shrink the set of potential block to the remaining running */ for (lp = 0, rp = pmb_nr - 1; lp <= rp;) { - while (lp < pmb_nr && pmb[lp]) + while (lp < pmb_nr && pmb[lp].match) lp++; /* lp points at the first NULL now */ - while (rp > -1 && !pmb[rp]) + while (rp > -1 && !pmb[rp].match) rp--; /* rp points at the last non-NULL */ if (lp < pmb_nr && rp > -1 && lp < rp) { pmb[lp] = pmb[rp]; - pmb[rp] = NULL; + pmb[rp].match = NULL; + pmb[rp].wsd.string = NULL; rp--; lp++; } @@ -1054,7 +1058,7 @@ static void mark_color_as_moved(struct diff_options *o, struct hashmap *add_lines, struct hashmap *del_lines) { - struct moved_entry **pmb = NULL; /* potentially moved blocks */ + struct moved_block *pmb = NULL; /* potentially moved blocks */ int pmb_nr = 0, pmb_alloc = 0; int n, flipped_block = 1, block_length = 0; @@ -1083,7 +1087,11 @@ static void mark_color_as_moved(struct diff_options *o, } if (!match) { + int i; + adjust_last_block(o, n, block_length); + for(i = 0; i < pmb_nr; i++) + moved_block_clear(&pmb[i]); pmb_nr = 0; block_length = 0; continue; @@ -1111,14 +1119,12 @@ static void mark_color_as_moved(struct diff_options *o, ALLOC_GROW(pmb, pmb_nr + 1, pmb_alloc); if (o->color_moved_ws_handling & COLOR_MOVED_WS_ALLOW_INDENTATION_CHANGE) { - struct ws_delta *wsd = xmalloc(sizeof(*match->wsd)); - if (compute_ws_delta(l, match->es, wsd)) { - match->wsd = wsd; - pmb[pmb_nr++] = match; - } else - free(wsd); + if (compute_ws_delta(l, match->es, + &pmb[pmb_nr].wsd)) + pmb[pmb_nr++].match = match; } else { - pmb[pmb_nr++] = match; + pmb[pmb_nr].wsd.string = NULL; + pmb[pmb_nr++].match = match; } } @@ -1135,6 +1141,8 @@ static void mark_color_as_moved(struct diff_options *o, } adjust_last_block(o, n, block_length); + for(n = 0; n < pmb_nr; n++) + moved_block_clear(&pmb[n]); free(pmb); } From cf074a9b0e589bad8e6b210ac1e3a4714463f7db Mon Sep 17 00:00:00 2001 From: Phillip Wood Date: Thu, 4 Oct 2018 11:07:42 +0100 Subject: [PATCH 2/5] diff --color-moved-ws: fix out of bounds string access When adjusting the start of the string to take account of the change in indentation the code was not checking that the string being adjusted was in fact longer than the indentation change. This was detected by asan. Signed-off-by: Phillip Wood Reviewed-by: Stefan Beller Signed-off-by: Junio C Hamano --- diff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/diff.c b/diff.c index 566419dc75..6f12212134 100644 --- a/diff.c +++ b/diff.c @@ -865,7 +865,7 @@ static int cmp_in_block_with_wsd(const struct diff_options *o, al -= wslen; } - if (strcmp(a, c)) + if (al != cl || memcmp(a, c, al)) return 1; return 0; From fe4516d103e69e74513be33f78768ac43acf3daa Mon Sep 17 00:00:00 2001 From: Phillip Wood Date: Thu, 4 Oct 2018 11:07:43 +0100 Subject: [PATCH 3/5] diff --color-moved-ws: fix a memory leak Don't duplicate the indentation string if we're not going to use it. This was found with asan. Signed-off-by: Phillip Wood Reviewed-by: Stefan Beller Signed-off-by: Junio C Hamano --- diff.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/diff.c b/diff.c index 6f12212134..38f26091f3 100644 --- a/diff.c +++ b/diff.c @@ -811,10 +811,13 @@ static int compute_ws_delta(const struct emitted_diff_symbol *a, const struct emitted_diff_symbol *shorter = a->len > b->len ? b : a; int d = longer->len - shorter->len; + if (strncmp(longer->line + d, shorter->line, shorter->len)) + return 0; + out->string = xmemdupz(longer->line, d); out->current_longer = (a == longer); - return !strncmp(longer->line + d, shorter->line, shorter->len); + return 1; } static int cmp_in_block_with_wsd(const struct diff_options *o, From 9c1a6c2bf8375a6652fd98439438e92626a00167 Mon Sep 17 00:00:00 2001 From: Phillip Wood Date: Thu, 4 Oct 2018 11:07:44 +0100 Subject: [PATCH 4/5] diff --color-moved-ws: fix another memory leak This is obvious in retrospect, it was found with asan. Signed-off-by: Phillip Wood Reviewed-by: Stefan Beller Signed-off-by: Junio C Hamano --- diff.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/diff.c b/diff.c index 38f26091f3..e0ebddfac9 100644 --- a/diff.c +++ b/diff.c @@ -994,6 +994,8 @@ static void pmb_advance_or_null_multi_match(struct diff_options *o, moved_block_clear(&pmb[i]); } } + + free(got_match); } static int shrink_potential_moved_blocks(struct moved_block *pmb, From 47cb16a26447b32f5440c3a109ad5f16a5f735bd Mon Sep 17 00:00:00 2001 From: Phillip Wood Date: Thu, 4 Oct 2018 11:07:45 +0100 Subject: [PATCH 5/5] diff --color-moved: fix a memory leak Free the hashmap items as well as the hashmap itself. This was found with asan. Signed-off-by: Phillip Wood Reviewed-by: Stefan Beller Signed-off-by: Junio C Hamano --- diff.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/diff.c b/diff.c index e0ebddfac9..c29b1cce14 100644 --- a/diff.c +++ b/diff.c @@ -5852,8 +5852,8 @@ static void diff_flush_patch_all_file_pairs(struct diff_options *o) if (o->color_moved == COLOR_MOVED_ZEBRA_DIM) dim_moved_lines(o); - hashmap_free(&add_lines, 0); - hashmap_free(&del_lines, 0); + hashmap_free(&add_lines, 1); + hashmap_free(&del_lines, 1); } for (i = 0; i < esm.nr; i++)