mirror of
https://github.com/git/git.git
synced 2024-05-26 09:26:37 +02:00
ec9d224903
For blobs, we want to make sure the on-disk data is not corrupted (i.e. can be inflated and produce the expected SHA-1). Blob content is opaque, there's nothing else inside to check for. For really large blobs, we may want to avoid unpacking the entire blob in memory, just to check whether it produces the same SHA-1. On 32-bit systems, we may not have enough virtual address space for such memory allocation. And even on 64-bit where it's not a problem, allocating a lot more memory could result in kicking other parts of systems to swap file, generating lots of I/O and slowing everything down. For this particular operation, not unpacking the blob and letting check_sha1_signature, which supports streaming interface, do the job is sufficient. check_sha1_signature() is not shown in the diff, unfortunately. But if will be called when "data_valid && !data" is false. We will call the callback function "fn" with NULL as "data". The only callback of this function is fsck_obj_buffer(), which does not touch "data" at all if it's a blob. Signed-off-by: Nguyễn Thái Ngọc Duy <pclouds@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
201 lines
5.4 KiB
C
201 lines
5.4 KiB
C
#include "cache.h"
|
|
#include "pack.h"
|
|
#include "pack-revindex.h"
|
|
#include "progress.h"
|
|
|
|
struct idx_entry {
|
|
off_t offset;
|
|
const unsigned char *sha1;
|
|
unsigned int nr;
|
|
};
|
|
|
|
static int compare_entries(const void *e1, const void *e2)
|
|
{
|
|
const struct idx_entry *entry1 = e1;
|
|
const struct idx_entry *entry2 = e2;
|
|
if (entry1->offset < entry2->offset)
|
|
return -1;
|
|
if (entry1->offset > entry2->offset)
|
|
return 1;
|
|
return 0;
|
|
}
|
|
|
|
int check_pack_crc(struct packed_git *p, struct pack_window **w_curs,
|
|
off_t offset, off_t len, unsigned int nr)
|
|
{
|
|
const uint32_t *index_crc;
|
|
uint32_t data_crc = crc32(0, NULL, 0);
|
|
|
|
do {
|
|
unsigned long avail;
|
|
void *data = use_pack(p, w_curs, offset, &avail);
|
|
if (avail > len)
|
|
avail = len;
|
|
data_crc = crc32(data_crc, data, avail);
|
|
offset += avail;
|
|
len -= avail;
|
|
} while (len);
|
|
|
|
index_crc = p->index_data;
|
|
index_crc += 2 + 256 + p->num_objects * (20/4) + nr;
|
|
|
|
return data_crc != ntohl(*index_crc);
|
|
}
|
|
|
|
static int verify_packfile(struct packed_git *p,
|
|
struct pack_window **w_curs,
|
|
verify_fn fn,
|
|
struct progress *progress, uint32_t base_count)
|
|
|
|
{
|
|
off_t index_size = p->index_size;
|
|
const unsigned char *index_base = p->index_data;
|
|
git_SHA_CTX ctx;
|
|
unsigned char sha1[20], *pack_sig;
|
|
off_t offset = 0, pack_sig_ofs = 0;
|
|
uint32_t nr_objects, i;
|
|
int err = 0;
|
|
struct idx_entry *entries;
|
|
|
|
/* Note that the pack header checks are actually performed by
|
|
* use_pack when it first opens the pack file. If anything
|
|
* goes wrong during those checks then the call will die out
|
|
* immediately.
|
|
*/
|
|
|
|
git_SHA1_Init(&ctx);
|
|
do {
|
|
unsigned long remaining;
|
|
unsigned char *in = use_pack(p, w_curs, offset, &remaining);
|
|
offset += remaining;
|
|
if (!pack_sig_ofs)
|
|
pack_sig_ofs = p->pack_size - 20;
|
|
if (offset > pack_sig_ofs)
|
|
remaining -= (unsigned int)(offset - pack_sig_ofs);
|
|
git_SHA1_Update(&ctx, in, remaining);
|
|
} while (offset < pack_sig_ofs);
|
|
git_SHA1_Final(sha1, &ctx);
|
|
pack_sig = use_pack(p, w_curs, pack_sig_ofs, NULL);
|
|
if (hashcmp(sha1, pack_sig))
|
|
err = error("%s SHA1 checksum mismatch",
|
|
p->pack_name);
|
|
if (hashcmp(index_base + index_size - 40, pack_sig))
|
|
err = error("%s SHA1 does not match its index",
|
|
p->pack_name);
|
|
unuse_pack(w_curs);
|
|
|
|
/* Make sure everything reachable from idx is valid. Since we
|
|
* have verified that nr_objects matches between idx and pack,
|
|
* we do not do scan-streaming check on the pack file.
|
|
*/
|
|
nr_objects = p->num_objects;
|
|
ALLOC_ARRAY(entries, nr_objects + 1);
|
|
entries[nr_objects].offset = pack_sig_ofs;
|
|
/* first sort entries by pack offset, since unpacking them is more efficient that way */
|
|
for (i = 0; i < nr_objects; i++) {
|
|
entries[i].sha1 = nth_packed_object_sha1(p, i);
|
|
if (!entries[i].sha1)
|
|
die("internal error pack-check nth-packed-object");
|
|
entries[i].offset = nth_packed_object_offset(p, i);
|
|
entries[i].nr = i;
|
|
}
|
|
qsort(entries, nr_objects, sizeof(*entries), compare_entries);
|
|
|
|
for (i = 0; i < nr_objects; i++) {
|
|
void *data;
|
|
enum object_type type;
|
|
unsigned long size;
|
|
off_t curpos;
|
|
int data_valid;
|
|
|
|
if (p->index_version > 1) {
|
|
off_t offset = entries[i].offset;
|
|
off_t len = entries[i+1].offset - offset;
|
|
unsigned int nr = entries[i].nr;
|
|
if (check_pack_crc(p, w_curs, offset, len, nr))
|
|
err = error("index CRC mismatch for object %s "
|
|
"from %s at offset %"PRIuMAX"",
|
|
sha1_to_hex(entries[i].sha1),
|
|
p->pack_name, (uintmax_t)offset);
|
|
}
|
|
|
|
curpos = entries[i].offset;
|
|
type = unpack_object_header(p, w_curs, &curpos, &size);
|
|
unuse_pack(w_curs);
|
|
|
|
if (type == OBJ_BLOB && big_file_threshold <= size) {
|
|
/*
|
|
* Let check_sha1_signature() check it with
|
|
* the streaming interface; no point slurping
|
|
* the data in-core only to discard.
|
|
*/
|
|
data = NULL;
|
|
data_valid = 0;
|
|
} else {
|
|
data = unpack_entry(p, entries[i].offset, &type, &size);
|
|
data_valid = 1;
|
|
}
|
|
|
|
if (data_valid && !data)
|
|
err = error("cannot unpack %s from %s at offset %"PRIuMAX"",
|
|
sha1_to_hex(entries[i].sha1), p->pack_name,
|
|
(uintmax_t)entries[i].offset);
|
|
else if (check_sha1_signature(entries[i].sha1, data, size, typename(type)))
|
|
err = error("packed %s from %s is corrupt",
|
|
sha1_to_hex(entries[i].sha1), p->pack_name);
|
|
else if (fn) {
|
|
int eaten = 0;
|
|
err |= fn(entries[i].sha1, type, size, data, &eaten);
|
|
if (eaten)
|
|
data = NULL;
|
|
}
|
|
if (((base_count + i) & 1023) == 0)
|
|
display_progress(progress, base_count + i);
|
|
free(data);
|
|
|
|
}
|
|
display_progress(progress, base_count + i);
|
|
free(entries);
|
|
|
|
return err;
|
|
}
|
|
|
|
int verify_pack_index(struct packed_git *p)
|
|
{
|
|
off_t index_size;
|
|
const unsigned char *index_base;
|
|
git_SHA_CTX ctx;
|
|
unsigned char sha1[20];
|
|
int err = 0;
|
|
|
|
if (open_pack_index(p))
|
|
return error("packfile %s index not opened", p->pack_name);
|
|
index_size = p->index_size;
|
|
index_base = p->index_data;
|
|
|
|
/* Verify SHA1 sum of the index file */
|
|
git_SHA1_Init(&ctx);
|
|
git_SHA1_Update(&ctx, index_base, (unsigned int)(index_size - 20));
|
|
git_SHA1_Final(sha1, &ctx);
|
|
if (hashcmp(sha1, index_base + index_size - 20))
|
|
err = error("Packfile index for %s SHA1 mismatch",
|
|
p->pack_name);
|
|
return err;
|
|
}
|
|
|
|
int verify_pack(struct packed_git *p, verify_fn fn,
|
|
struct progress *progress, uint32_t base_count)
|
|
{
|
|
int err = 0;
|
|
struct pack_window *w_curs = NULL;
|
|
|
|
err |= verify_pack_index(p);
|
|
if (!p->index_data)
|
|
return -1;
|
|
|
|
err |= verify_packfile(p, &w_curs, fn, progress, base_count);
|
|
unuse_pack(&w_curs);
|
|
|
|
return err;
|
|
}
|