r1822401 | stsp | 2018-01-27 12:38:39 +0000 (Sat, 27 Jan 2018) Fix a 'dereference pointer to the wrong object' crash in the conflict resolver. * subversion/libsvn_client/conflicts.c (configure_option_incoming_move_file_merge, configure_option_incoming_dir_merge): The tree_conflict_incoming_details pointer does not necessarily point to a data structure of type struct conflict_tree_incoming_delete_details. E.g. in case of incoming edits it will point to an apr_array_header_t. Only cast this pointer to struct conflict_tree_incoming_delete_details if the incoming change is in fact a deletion. Otherwise, we can crash since struct conflict_tree_incoming_delete_details (72 bytes) is larger than apr_array_header_t (32 bytes), and a read of the larger type through this pointer could run into unmapped address space. Generally, accessing one type of object through another type of pointer is undefined behaviour. Found by: svn-bb-openbsd buildbot Discussed with: brane
r1875188 | stsp | 2020-03-14 11:38:57 +0000 (Sat, 14 Mar 2020) Plug error leaks in newly added mergeinfo tests. Found by: svn-bb-openbsd buildbot https://ci.apache.org/builders/svn-bb-openbsd/builds/510/steps/Test/logs/faillog-ra_svn-fsfs [[[ subversion/tests/svn_test_main.c:475: (apr_err=SVN_ERR_TEST_FAILED) svn_tests: E200006: Test crashed (run in debugger with '--allow-segfaults') FAIL: mergeinfo-test 25: test rangelist merge random non-validated inputs ]]] Core was generated by `mergeinfo-test'. Program terminated with signal SIGABRT, Aborted. #0 *_libc_abort () at /usr/src/lib/libc/stdlib/abort.c:57 57 memset(&sa, 0, sizeof(sa)); (gdb) up #1 0x0000010070bcff68 in err_abort (data=0x10022671880) 156 abort(); (gdb) list 151 { 152 svn_error_t *err = data; /* For easy viewing in a debugger */ 153 SVN_UNUSED(err); 154 155 if (!getenv("SVN_DBG_NO_ABORT_ON_ERROR_LEAK")) 156 abort(); 157 return APR_SUCCESS; 158 } 159 #endif 160 (gdb) p *err $3 = {apr_err = 235000, message = 0x1001bc9c280 "In file 'subversion/libsvn_subr/mergeinfo.c' line 1096: assertion failed (rangelist_is_sorted(chg))", child = 0x0, pool = 0x10085adbc00, file = 0x10070d799b0 "subversion/libsvn_subr/mergeinfo.c", line = 1096} (gdb) * subversion/tests/libsvn_subr/mergeinfo-test.c (clear_failure_mode_errors): New helper function. Clears errors accumulated during a test run. (test_rangelist_merge_random_canonical_inputs, test_rangelist_merge_random_semi_c_inputs, test_rangelist_merge_random_non_validated_inputs): Clear accumulated errors.