svn-3426

Version:

1.6.2

Bug Link:

http://subversion.tigris.org/issues/show_bug.cgi?id=3426

Patch Link:

http://svn.apache.org/viewvc?diff_format=h&view=revision&revision=877720

Symptom:

fail on invalid input:

svn copy crashes with bogus source path

How it is diagnosed:

reproduced!

[peh003@soprano repository]$ svnadmin create demo

[peh003@soprano repository]$ cd ../wc/

[peh003@soprano wc]$ svn co file:///home/yyzhou/peh003/repository/demo/

Checked out revision 0.

[peh003@soprano wc]$ cd demo/

[peh003@soprano demo]$ svn mkdir trunk

A         trunk

[peh003@soprano demo]$ svn ci -m "making trunk"

Adding         trunk

Committed revision 1.

[peh003@soprano demo]$ svn up

At revision 1.

[peh003@soprano demo]$ svn copy --parents file:///home/yyzhou/peh003/repository/demo/trunk file:///home/yyzhou/peh003/repository/demo/tags/release-1.0 -m "Tagging 1.0 release"

Committed revision 2.

[peh003@soprano demo]$ svn copy BASE/**cannot recognize BASE**/ file:///home/yyzhou/peh003/repository/demo/tags/release-2.0 -m "Tagging 2.0 release"

Segmentation fault

[peh003@soprano demo]$ svn copy foo /**foo is bogus**/

file:///home/yyzhou/peh003/repository/demo/tags/release-3.0 -m "Tagging 3.0 release"

Segmentation fault

[peh003@soprano demo]$ svn copy .@BASE file:///home/yyzhou/peh003/repository/demo/tags/release-2.0 -m "Tagging 2.0 release"   /**it works**/

Committed revision 3.

Root Cause:

Brief:

derefrence NULL pointer

Detail:

static svn_error_t *
wc_to_repos_copy(...)
{
 ...
 /* The commit process uses absolute paths*/
 for (i = 0; i < copy_pairs->nelts; i++)
   {
     svn_client__copy_pair_t *pair = APR_ARRAY_IDX(copy_pairs, i,
                                                   svn_client__copy_pair_t *);

       /*Sanity check if the source path is versioned. */    

       /**

adding this check here will check if foo is under version control, for the case  

above, it will find “foo” is not under control.

So it reports the error and stop preceding.

      **/

+     SVN_ERR(svn_wc__entry_versioned(&entry, pair->src, adm_access, FALSE, iterpool));
      SVN_ERR(svn_path_get_absolute(&pair->src_abs, pair->src, pool));
   }
     ...

 for (i = 0; i < copy_pairs->nelts; i++)
   {
     svn_node_kind_t dst_kind;
     const char *dst_rel;
     svn_client__copy_pair_t *pair =
       APR_ARRAY_IDX(copy_pairs, i, svn_client__copy_pair_t *);
     svn_pool_clear(iterpool);
     SVN_ERR(svn_wc_entry(&entry, pair->src, adm_access, FALSE, iterpool));

/*  after this entry = NULL, dereferencing it results in segfault

     actually, this the entry pointer is svn_wc_entry “return value”, in bug#3727, it checked entry  

     before use it

*/
     pair->src_revnum =
entry->revision;
     ...
   }
 svn_pool_destroy(iterpool);
 ...
 return svn_wc_adm_close2(adm_access, pool);
}

Failure symptom category

Segment fault

Is there any log message?

Yes

How can ErrLog automatically insert error messag?

Signal handler.