[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[PATCH] Fix potential crash in libsvn_repos when executing pre-commit hook

From: Sergey Raevskiy <sergey.raevskiy_at_visualsvn.com>
Date: Thu, 5 Feb 2015 22:19:47 +0300

Hi!

I've discovered another crash in lock-related code. Usage of deprecated API
svn_fs_access_add_lock_token() function leads to crash when pre-commit hook is
getting executed.

Function svn_fs_access_add_lock_token() simply calls
svn_fs_access_add_lock_token2() and passes some magic value ((const char *) 1)
as PATH parameter. Such condition is not checked by function
lock_token_content() which is used to prepare STDIN contents for pre-commit
hook:

[[[
static svn_error_t *
lock_token_content(apr_file_t **handle, apr_hash_t *lock_tokens,
                   apr_pool_t *pool)
{
  ...

  for (hi = apr_hash_first(pool, lock_tokens); hi;
       hi = apr_hash_next(hi))
    {
      const char *token = apr_hash_this_key(hi);
      const char *path = apr_hash_this_val(hi);

      svn_stringbuf_appendstr(lock_str,
        svn_stringbuf_createf(pool, "%s|%s\n",
                              svn_path_uri_autoescape(path, pool),
                              token));
    }

    ...
}
]]]

I've attached the patch with crashing test and simple fix, but I'm not really
sure about my solution. A probably better approach would be to replace magic
pointer value by an empty string, but I'm not sure about binary compatibility
etc.

Log message:
[[[
Fix potential crash in libsvn_repos when executing pre-commit hook.

* subversion/subversion/libsvn_repos/hooks.c
  (lock_token_content): Add special handling for 'magic' value
   ((const char *) 1).

* subversion/subversion/tests/libsvn_repos/repos-test.c
  (pre_commit_hook_lock_token_without_path): New.
  (test_funcs): Add new test.

Patch by: sergey.raevskiy{_AT_}visualsvn.com
]]]

Received on 2015-02-05 20:21:08 CET

This is an archived mail posted to the Subversion Dev mailing list.