Crash when using path limit in ui-patch.c

Thu Nov 24 19:49:06 CET 2016

On Thu, Nov 24, 2016 at 10:57:22AM +0100, Florian Pritz wrote:
> I get the following backtrace when trying to use the path limit feature
> while getting a patch.
> 
> > #0  0x0000000000467bb5 in prefix_pathspec (item=0x77ba48, p_short_magic=0x7fffffffb2e8, raw=0x76e488, flags=0, prefix=0x0, prefixlen=0, elt=0x3637353238343130 <error: Cannot access memory at address 0x3637353238343130>) at pathspec.c:149
> > #1  0x0000000000468872 in parse_pathspec (pathspec=0x7fffffffc550, magic_mask=0, flags=0, prefix=0x0, argv=0x76e480) at pathspec.c:418
> > #2  0x0000000000487efb in setup_revisions (argc=4, argv=0x7fffffffc430, revs=0x7fffffffc500, opt=0x0) at revision.c:2253
> > #3  0x00000000004135eb in cgit_print_patch (new_rev=0x791670 "03c580a9b31fb82187de3c882bc274441c41847d", old_rev=0x0, prefix=0x76dfd0 "application/libraries") at ../ui-patch.c:88
> > #4  0x0000000000409534 in patch_fn () at ../cmd.c:119
> > #5  0x0000000000407281 in process_request () at ../cgit.c:744
> > #6  0x0000000000408d2b in cache_process (size=0, path=0x4fc87a "/var/cache/cgit", key=0x777670 "users/flo/filebin/patch/application/libraries?id=03c580a9b31fb82187de3c882bc274441c41847d", ttl=-1, fn=0x407141 <process_request>) at ../cache.c:367
> > #7  0x00000000004083aa in cmd_main (argc=1, argv=0x7fffffffe048) at ../cgit.c:1092
> > #8  0x000000000041d40b in main (argc=1, argv=0x7fffffffe048) at common-main.c:40
> 
> I'm not exactly sure what is going on, but I don't have the time to
> debug so I cobbled together a quick test case for this which you can
> view here: https://paste.xinu.at/vgCm/
> 
> The test "works" before commit 5fe88a9c81517b1a8a93d930c738cbb6f71dec2a
> since that introduces the feature and using the path limit doesn't
> actually change the output. It's just a quick reproducer.

Where does the test fail for you?  I assume it's the line:

	cgit_query "url=foo/patch/file-5"

which doesn't fail for me.  The only failure I get is because CGit
inserts a message "(limited to 'file-5')" which is not inserted by
git-format-patch.

I had a quick look at the code, and even though I can't trigger a
failure, the count passed in to setup_revisions() does look suspicious.
Can you try the patch below and see if it fixes the problem?

-- >8 --

diff --git a/ui-patch.c b/ui-patch.c
index ec7f3523..d29f74c7 100644
--- a/ui-patch.c
+++ b/ui-patch.c
@@ -85,8 +85,7 @@ void cgit_print_patch(const char *new_rev, const char *old_rev,
 			DIFF_FORMAT_PATCH | DIFF_FORMAT_SUMMARY;
 	if (prefix)
 		rev.diffopt.stat_sep = fmt("(limited to '%s')\n\n", prefix);
-	setup_revisions(ARRAY_SIZE(rev_argv), rev_argv, &rev,
-			NULL);
+	setup_revisions(rev_argc, rev_argv, &rev, NULL);
 	prepare_revision_walk(&rev);
 
 	while ((commit = get_revision(&rev)) != NULL) {
