Skip to content

Commit 95fa388

Browse files
pks-tpks-t
committed
pqueue: resolve possible NULL pointer dereference
The `git_pqueue` struct allows being fixed in its total number of entries. In this case, we simply throw away items that are inserted into the priority queue by examining wether the new item to be inserted has a higher priority than the previous smallest one. This feature somewhat contradicts our pqueue implementation in that it is allowed to not have a comparison function. In fact, we also fail to check if the comparison function is actually set in the case where we add a new item into a fully filled fixed-size pqueue. As we cannot determine which item is the smallest item in absence of a comparison function, we fix the `NULL` pointer dereference by simply dropping all new items which are about to be inserted into a full fixed-size pqueue.
1 parent e3298a3 commit 95fa388

File tree

2 files changed

+25
-2
lines changed

2 files changed

+25
-2
lines changed

src/pqueue.c

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -86,8 +86,9 @@ int git_pqueue_insert(git_pqueue *pq, void *item)
8686
if ((pq->flags & GIT_PQUEUE_FIXED_SIZE) != 0 &&
8787
pq->length >= pq->_alloc_size)
8888
{
89-
/* skip this item if below min item in heap */
90-
if (pq->_cmp(item, git_vector_get(pq, 0)) <= 0)
89+
/* skip this item if below min item in heap or if
90+
* we do not have a comparison function */
91+
if (!pq->_cmp || pq->_cmp(item, git_vector_get(pq, 0)) <= 0)
9192
return 0;
9293
/* otherwise remove the min item before inserting new */
9394
(void)git_pqueue_pop(pq);

tests/core/pqueue.c

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,7 +93,29 @@ void test_core_pqueue__max_heap_size(void)
9393
cl_assert_equal_i(0, git_pqueue_size(&pq));
9494

9595
git_pqueue_free(&pq);
96+
}
97+
98+
void test_core_pqueue__max_heap_size_without_comparison(void)
99+
{
100+
git_pqueue pq;
101+
int i, vals[100] = { 0 };
102+
103+
cl_git_pass(git_pqueue_init(&pq, GIT_PQUEUE_FIXED_SIZE, 50, NULL));
104+
105+
for (i = 0; i < 100; ++i)
106+
cl_git_pass(git_pqueue_insert(&pq, &vals[i]));
96107

108+
cl_assert_equal_i(50, git_pqueue_size(&pq));
109+
110+
/* As we have no comparison function, we cannot make any
111+
* actual assumptions about which entries are part of the
112+
* pqueue */
113+
for (i = 0; i < 50; ++i)
114+
cl_assert(git_pqueue_pop(&pq));
115+
116+
cl_assert_equal_i(0, git_pqueue_size(&pq));
117+
118+
git_pqueue_free(&pq);
97119
}
98120

99121
static int cmp_ints_like_commit_time(const void *a, const void *b)

0 commit comments

Comments
 (0)