TortoiseSVN crash dump


Found
r1706324, r1705328, r1705064, r1702288, r1702231, r1702218

r1706324 | kotkov | 2015-10-01 16:56:26 -0500 (Thu, 01 Oct 2015)

Fix a crash in libsvn_ra_serf's multistatus parser.

One way to reproduce it is by trying to do a -g reverse blame against a
Subversion 1.8 server:

  svn blame -g -r 1706092:1706091 https://svn.apache.org/repos/asf/subversion/trunk/README

When rolling responses through the transition table, the multistatus parser
gathers attributes — e.g., <D:href> or <D:status> values.  They could then
be accessed by the parser upon closing a tag.  There are situations, such as
in the example above, when we don't gather these attributes, because there
actually is nothing to gather:

  <?xml version="1.0" encoding="utf-8"?>
  <D:error xmlns:D="DAV:" xmlns:C="svn:">
    <C:error/>
  </D:error>

Collecting attributes is done in a lazy fashion, and the corresponding hash
table can be null if nothing was collected.  If we try to access it a close
callback, we crash.  Fix this by using null-aware svn_hash__get_cstring()
function where necessary.

Found by: TortoiseSVN crash dump

* subversion/libsvn_ra_serf/multistatus.c
  (multistatus_closed): Use svn_hash__get_cstring() to access the attribute
   table when it can be null, i.e., within the MS_RESPONSE, MS_PROPSTAT
   and D_ERROR state handling.


r1705328 | ivan | 2015-09-25 11:25:28 -0500 (Fri, 25 Sep 2015)

Resolve a possible segfault in authentication credentials cache caused by
storing key in APR hashtable without copying to long-life pool. I don't know
exact reproduction script, but it's obvious bug and crash reported via
TortoiseSVN crash dump service multiple times.

Found by: TortoiseSVN crash dump

* subversion/libsvn_subr/auth.c
  (svn_auth_next_credentials): Copy STATE->CACHE_KEY to AUTH_BATON->POOL
   before adding it to AUTH_BATON->CREDS_CACHE.


r1705064 | ivan | 2015-09-24 09:09:17 -0500 (Thu, 24 Sep 2015)

Resolve segfault in 'svn diff' when repository is on server root.

Found by: TortoiseSVN crash dump

* subversion/libsvn_ra_serf/serf.c
  (ra_serf_dup_session): Use svn_ra_serf__uri_parse() instead of
   apr_uri_parse() to convert URI.PATH to "/" if it's NULL.


r1702288 | ivan | 2015-09-10 11:08:50 -0500 (Thu, 10 Sep 2015)

Return error if get unexpected 'X-SVN-VR-Base' HTTP header value instead of
crashing.

Found by: TortoiseSVN crash dump

* subversion/libsvn_ra_serf/update.c
  (handle_fetch): Check FETCH_CTX->DELTA_BASE for NULL before comparing
   it to received header value.


r1702231 | ivan | 2015-09-10 07:19:16 -0500 (Thu, 10 Sep 2015)

Fix potential access to uninitialized memory during 'svn commit'. I don't
know exact reproduction script, but it's obvious bug and crash reported via
TortoiseSVN crash dump service multiple times.

Found by: TortoiseSVN crash dump

* subversion/libsvn_wc/adm_crawler.c
  (svn_wc__internal_transmit_text_deltas): Do not attempt to access checksum
   from checksummed stream if svn_stream_close() returns error.


r1702218 | ivan | 2015-09-10 06:21:46 -0500 (Thu, 10 Sep 2015)

Fix segfault in 'svn upgrade' of pre-Subversion 1.3 working copies with
externals.

Found by: TortoiseSVN crash dump

* subversion/libsvn_client/upgrade.c
  (upgrade_externals_from_properties): Accept INFO_BATON as argument instead
   of using uninitialized variable. 
  (svn_client_upgrade): Pass INFO_BATON to
   upgrade_externals_from_properties().