fsfs: Segfault when rep line lists the all-zeroes checksum

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Mon, 29 Aug 2016 16:57:19 +0000

When the "props:" line in a noderev lists an all-zeroes checksum, FSFS
segfaults:

[[[
% cat repro.sh
#!/bin/sh
rm -rf r wc
svnadmin create r
svn co -q file://`pwd`/r wc
svn ps -q k v wc
svn ci -qmm wc
echo "First dump:"
svnadmin dump -q r >/dev/null
perl -pi -e 's/[0-9a-f]{16,}/"0" x length $&/e if /^props:/' r/db/revs/0/1
echo "Second dump:"
svnadmin dump -q r >/dev/null
]]]

Output:
[[[
% ./repro.sh
First dump:
Second dump:
Segmentation fault
zsh: exit 139 ./repro.sh
]]]

This is caused by these two lines in svn_fs_fs__parse_representation():
.
801 SVN_ERR(svn_checksum_parse_hex(&checksum, svn_checksum_md5, str,
802 scratch_pool));
803 memcpy(rep->md5_digest, checksum->digest, sizeof(rep->md5_digest));
.
Line 801 sets CHECKSUM to NULL (as promised by svn_checksum_parse_hex()'s
docstring), line 803 dereferences it unconditionally.

I'm not aware of any way to create such text:/props: lines via the API,
but they're useful when editing revision files by hand, and in any case
invalid on-disk data should not cause segfaults.

Ivan bisected this to r1462727.

Cheers,

Daniel
Received on 2016-08-29 18:57:45 CEST

This message: [ Message body ]
Next message: Paul Hammant: "Re: Svn capability for SparkleShare"
Previous message: Evgeny Kotkov: "Re: Unbounded memory usage in mod_dav + mod_headers/mod_deflate/..."
Next in thread: Stefan Fuhrmann: "Re: fsfs: Segfault when rep line lists the all-zeroes checksum"
Reply: Stefan Fuhrmann: "Re: fsfs: Segfault when rep line lists the all-zeroes checksum"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]