transports: smart: fix potential invalid memory dereferences

When we receive a packet of exactly four bytes encoding its
length as those four bytes it can be treated as an empty line.
While it is not really specified how those empty lines should be
treated, we currently ignore them and do not return an error when
trying to parse it but simply advance the data pointer.

Callers invoking `git_pkt_parse_line` are currently not prepared
to handle this case as they do not explicitly check this case.
While they could always reset the passed out-pointer to `NULL`
before calling `git_pkt_parse_line` and determine if the pointer
has been set afterwards, it makes more sense to update
`git_pkt_parse_line` to set the out-pointer to `NULL` itself when
it encounters such an empty packet. Like this it is guaranteed
that there will be no invalid memory references to free'd
pointers.

As such, the issue has been fixed such that `git_pkt_parse_line`
always sets the packet out pointer to `NULL` when an empty packet
has been received and callers check for this condition, skipping
such packets.

Author: pks-t

src/transports/smart_pkt.c

@@ -433,6 +433,7 @@ int git_pkt_parse_line(
 	 * line?
 	 */
 	if (len == PKT_LEN_SIZE) {
+		*head = NULL;
 		*out = line;
 		return 0;
 	}

src/transports/smart_protocol.c

@@ -759,6 +759,14 @@ static int add_push_report_sideband_pkt(git_push *push, git_pkt_data *data_pkt,
 		line_len -= (line_end - line);
 		line = line_end;
 
+		/* When a valid packet with no content has been
+		 * read, git_pkt_parse_line does not report an
+		 * error, but the pkt pointer has not been set.
+		 * Handle this by skipping over empty packets.
+		 */
+		if (pkt == NULL)
+			continue;
+
 		error = add_push_report_pkt(push, pkt);
 
 		git_pkt_free(pkt);
@@ -813,6 +821,9 @@ static int parse_report(transport_smart *transport, git_push *push)
 
 		error = 0;
 
+		if (pkt == NULL)
+			continue;
+
 		switch (pkt->type) {
 			case GIT_PKT_DATA:
 				/* This is a sideband packet which contains other packets */