run-command: avoid close(-1) in start_command() error paths

When start_command() fails to set up a pipe partway through, it
rolls back by closing the pipe ends it has already opened. For
descriptors supplied by the caller rather than allocated locally,
that rollback tested `if (cmd->in)` / `if (cmd->out)` before calling
close(). The CHILD_PROCESS_INIT default of -1 ("no descriptor") is
non-zero and so passes the test, meaning a caller that sets
cmd->no_stdin or cmd->no_stdout without supplying a real fd ends up
triggering close(-1) on the error path.

The stdin-pipe failure branch a few lines above already uses the
right idiom, `if (cmd->out > 0)`, which rejects both the -1 sentinel
and 0 (the parent's own standard streams). Apply it to the three
remaining rollback sites.

Reported by Coverity as CID 1049722 ("Argument cannot be negative").

Assisted-by: Opus 4.7
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
seen
Johannes Schindelin 2026-07-01 07:04:22 +00:00 committed by Junio C Hamano
parent ba27cdc45e
commit f010cf0678
1 changed files with 3 additions and 3 deletions

View File

@ -706,7 +706,7 @@ int start_command(struct child_process *cmd)
failed_errno = errno;
if (need_in)
close_pair(fdin);
else if (cmd->in)
else if (cmd->in > 0)
close(cmd->in);
str = "standard output";
goto fail_pipe;
@ -720,11 +720,11 @@ int start_command(struct child_process *cmd)
failed_errno = errno;
if (need_in)
close_pair(fdin);
else if (cmd->in)
else if (cmd->in > 0)
close(cmd->in);
if (need_out)
close_pair(fdout);
else if (cmd->out)
else if (cmd->out > 0)
close(cmd->out);
str = "standard error";
fail_pipe: