* [PATCH] reftable/iter: fix undefined behavior in indexed_table_ref_iter_next
@ 2026-01-02 19:16 Tsahi Elkayam
2026-01-03 7:35 ` Pushkar Singh
2026-01-04 2:49 ` Junio C Hamano
0 siblings, 2 replies; 6+ messages in thread
From: Tsahi Elkayam @ 2026-01-02 19:16 UTC (permalink / raw)
To: git@vger•kernel.org; +Cc: ps@pks•im
The indexed_table_ref_iter_next() function accesses ref->value.val2
without first checking the ref's value_type. This is undefined behavior
when the ref is not of type REFTABLE_REF_VAL2.
The correct pattern is already used in filtering_ref_iterator_next()
which checks value_type before accessing the appropriate union member.
Apply the same pattern here:
- Check for REFTABLE_REF_VAL2 before accessing val2 members
- Add missing check for REFTABLE_REF_VAL1 to handle single-value refs
This was marked with a "/* BUG */" comment indicating the issue was
known but not yet fixed.
Signed-off-by: Tsahi Elkayam <Tsahi.Elkayam@protonmail•com>
---
reftable/iter.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/reftable/iter.c b/reftable/iter.c
index 2ecc52b336..2eee65bb1e 100644
--- a/reftable/iter.c
+++ b/reftable/iter.c
@@ -171,12 +171,15 @@ static int indexed_table_ref_iter_next(void *p, struct reftable_record *rec)
}
continue;
}
- /* BUG */
- if (!memcmp(it->oid.buf, ref->value.val2.target_value,
- it->oid.len) ||
- !memcmp(it->oid.buf, ref->value.val2.value, it->oid.len)) {
+ if (ref->value_type == REFTABLE_REF_VAL2 &&
+ (!memcmp(it->oid.buf, ref->value.val2.target_value,
+ it->oid.len) ||
+ !memcmp(it->oid.buf, ref->value.val2.value, it->oid.len)))
+ return 0;
+
+ if (ref->value_type == REFTABLE_REF_VAL1 &&
+ !memcmp(it->oid.buf, ref->value.val1, it->oid.len))
return 0;
- }
}
}
--
2.37.1 (Apple Git-137.1)
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH] reftable/iter: fix undefined behavior in indexed_table_ref_iter_next
2026-01-02 19:16 [PATCH] reftable/iter: fix undefined behavior in indexed_table_ref_iter_next Tsahi Elkayam
@ 2026-01-03 7:35 ` Pushkar Singh
2026-01-04 10:13 ` Tsahi Elkayam
2026-01-04 2:49 ` Junio C Hamano
1 sibling, 1 reply; 6+ messages in thread
From: Pushkar Singh @ 2026-01-03 7:35 UTC (permalink / raw)
To: Tsahi Elkayam; +Cc: git@vger•kernel.org, ps@pks•im
Hi Tsahi,
Thanks for working on this.
The issue and fix make sense to me. Guarding access to the val2 members
behind a value_type check avoids the undefined behavior noted by the
existing comment, and explicitly handling REFTABLE_REF_VAL1 here matches
the pattern already used in filtering_ref_iterator_next().
I didn’t spot any issues with the control flow or logic in this change.
Thanks for addressing this.
Pushkar
On Sat, Jan 3, 2026 at 12:47 AM Tsahi Elkayam
<Tsahi.Elkayam@protonmail•com> wrote:
>
>
>
> The indexed_table_ref_iter_next() function accesses ref->value.val2
> without first checking the ref's value_type. This is undefined behavior
> when the ref is not of type REFTABLE_REF_VAL2.
>
> The correct pattern is already used in filtering_ref_iterator_next()
> which checks value_type before accessing the appropriate union member.
> Apply the same pattern here:
>
> - Check for REFTABLE_REF_VAL2 before accessing val2 members
> - Add missing check for REFTABLE_REF_VAL1 to handle single-value refs
>
> This was marked with a "/* BUG */" comment indicating the issue was
> known but not yet fixed.
>
> Signed-off-by: Tsahi Elkayam <Tsahi.Elkayam@protonmail•com>
> ---
> reftable/iter.c | 13 ++++++++-----
> 1 file changed, 8 insertions(+), 5 deletions(-)
>
> diff --git a/reftable/iter.c b/reftable/iter.c
> index 2ecc52b336..2eee65bb1e 100644
> --- a/reftable/iter.c
> +++ b/reftable/iter.c
> @@ -171,12 +171,15 @@ static int indexed_table_ref_iter_next(void *p, struct reftable_record *rec)
> }
> continue;
> }
> - /* BUG */
> - if (!memcmp(it->oid.buf, ref->value.val2.target_value,
> - it->oid.len) ||
> - !memcmp(it->oid.buf, ref->value.val2.value, it->oid.len)) {
> + if (ref->value_type == REFTABLE_REF_VAL2 &&
> + (!memcmp(it->oid.buf, ref->value.val2.target_value,
> + it->oid.len) ||
> + !memcmp(it->oid.buf, ref->value.val2.value, it->oid.len)))
> + return 0;
> +
> + if (ref->value_type == REFTABLE_REF_VAL1 &&
> + !memcmp(it->oid.buf, ref->value.val1, it->oid.len))
> return 0;
> - }
> }
> }
>
> --
> 2.37.1 (Apple Git-137.1)
>
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH] reftable/iter: fix undefined behavior in indexed_table_ref_iter_next
2026-01-03 7:35 ` Pushkar Singh
@ 2026-01-04 10:13 ` Tsahi Elkayam
0 siblings, 0 replies; 6+ messages in thread
From: Tsahi Elkayam @ 2026-01-04 10:13 UTC (permalink / raw)
To: Pushkar Singh; +Cc: git@vger•kernel.org, ps@pks•im
This is my first contribution attempt I am so happy I didn’t messed it up
I found few more issues I will address them one by one
You made my day thank you
Sent from Proton Mail for iOS.
-------- Original Message --------
On Saturday, 01/03/26 at 09:35 Pushkar Singh <pushkarkumarsingh1970@gmail•com> wrote:
Hi Tsahi,
Thanks for working on this.
The issue and fix make sense to me. Guarding access to the val2 members
behind a value_type check avoids the undefined behavior noted by the
existing comment, and explicitly handling REFTABLE_REF_VAL1 here matches
the pattern already used in filtering_ref_iterator_next().
I didn’t spot any issues with the control flow or logic in this change.
Thanks for addressing this.
Pushkar
On Sat, Jan 3, 2026 at 12:47 AM Tsahi Elkayam
<Tsahi.Elkayam@protonmail•com> wrote:
>
>
>
> The indexed_table_ref_iter_next() function accesses ref->value.val2
> without first checking the ref's value_type. This is undefined behavior
> when the ref is not of type REFTABLE_REF_VAL2.
>
> The correct pattern is already used in filtering_ref_iterator_next()
> which checks value_type before accessing the appropriate union member.
> Apply the same pattern here:
>
> - Check for REFTABLE_REF_VAL2 before accessing val2 members
> - Add missing check for REFTABLE_REF_VAL1 to handle single-value refs
>
> This was marked with a "/* BUG */" comment indicating the issue was
> known but not yet fixed.
>
> Signed-off-by: Tsahi Elkayam <Tsahi.Elkayam@protonmail•com>
> ---
> reftable/iter.c | 13 ++++++++-----
> 1 file changed, 8 insertions(+), 5 deletions(-)
>
> diff --git a/reftable/iter.c b/reftable/iter.c
> index 2ecc52b336..2eee65bb1e 100644
> --- a/reftable/iter.c
> +++ b/reftable/iter.c
> @@ -171,12 +171,15 @@ static int indexed_table_ref_iter_next(void *p, struct reftable_record *rec)
> }
> continue;
> }
> - /* BUG */
> - if (!memcmp(it->oid.buf, ref->value.val2.target_value,
> - it->oid.len) ||
> - !memcmp(it->oid.buf, ref->value.val2.value, it->oid.len)) {
> + if (ref->value_type == REFTABLE_REF_VAL2 &&
> + (!memcmp(it->oid.buf, ref->value.val2.target_value,
> + it->oid.len) ||
> + !memcmp(it->oid.buf, ref->value.val2.value, it->oid.len)))
> + return 0;
> +
> + if (ref->value_type == REFTABLE_REF_VAL1 &&
> + !memcmp(it->oid.buf, ref->value.val1, it->oid.len))
> return 0;
> - }
> }
> }
>
> --
> 2.37.1 (Apple Git-137.1)
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] reftable/iter: fix undefined behavior in indexed_table_ref_iter_next
2026-01-02 19:16 [PATCH] reftable/iter: fix undefined behavior in indexed_table_ref_iter_next Tsahi Elkayam
2026-01-03 7:35 ` Pushkar Singh
@ 2026-01-04 2:49 ` Junio C Hamano
2026-01-04 10:22 ` Tsahi Elkayam
1 sibling, 1 reply; 6+ messages in thread
From: Junio C Hamano @ 2026-01-04 2:49 UTC (permalink / raw)
To: Tsahi Elkayam; +Cc: git@vger•kernel.org, ps@pks•im
Tsahi Elkayam <Tsahi.Elkayam@protonmail•com> writes:
> The indexed_table_ref_iter_next() function accesses ref->value.val2
> without first checking the ref's value_type. This is undefined behavior
> when the ref is not of type REFTABLE_REF_VAL2.
>
> The correct pattern is already used in filtering_ref_iterator_next()
> which checks value_type before accessing the appropriate union member.
> Apply the same pattern here:
>
> - Check for REFTABLE_REF_VAL2 before accessing val2 members
> - Add missing check for REFTABLE_REF_VAL1 to handle single-value refs
>
> This was marked with a "/* BUG */" comment indicating the issue was
> known but not yet fixed.
>
> Signed-off-by: Tsahi Elkayam <Tsahi.Elkayam@protonmail•com>
> ---
> reftable/iter.c | 13 ++++++++-----
> 1 file changed, 8 insertions(+), 5 deletions(-)
>
> diff --git a/reftable/iter.c b/reftable/iter.c
> index 2ecc52b336..2eee65bb1e 100644
> --- a/reftable/iter.c
> +++ b/reftable/iter.c
What are these lines with two-whitespace indent about? When sending
a patch purely for discussion (because the actual change may be iffy
or dangerous), we sometimes deliberately corrupt the patch not to
apply mechanically, but this patch does not seem to be such a
"request for discussion" patch.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] reftable/iter: fix undefined behavior in indexed_table_ref_iter_next
2026-01-04 2:49 ` Junio C Hamano
@ 2026-01-04 10:22 ` Tsahi Elkayam
2026-01-04 10:33 ` Tsahi Elkayam
0 siblings, 1 reply; 6+ messages in thread
From: Tsahi Elkayam @ 2026-01-04 10:22 UTC (permalink / raw)
To: Junio C Hamano; +Cc: git@vger•kernel.org, ps@pks•im
So I did messed up
sorry lesson learned
but still...
wow very exciting
Sent from Proton Mail for iOS.
-------- Original Message --------
On Sunday, 01/04/26 at 04:49 Junio C Hamano <gitster@pobox•com> wrote:
Tsahi Elkayam <Tsahi.Elkayam@protonmail•com> writes:
> The indexed_table_ref_iter_next() function accesses ref->value.val2
> without first checking the ref's value_type. This is undefined behavior
> when the ref is not of type REFTABLE_REF_VAL2.
>
> The correct pattern is already used in filtering_ref_iterator_next()
> which checks value_type before accessing the appropriate union member.
> Apply the same pattern here:
>
> - Check for REFTABLE_REF_VAL2 before accessing val2 members
> - Add missing check for REFTABLE_REF_VAL1 to handle single-value refs
>
> This was marked with a "/* BUG */" comment indicating the issue was
> known but not yet fixed.
>
> Signed-off-by: Tsahi Elkayam <Tsahi.Elkayam@protonmail•com>
> ---
> reftable/iter.c | 13 ++++++++-----
> 1 file changed, 8 insertions(+), 5 deletions(-)
>
> diff --git a/reftable/iter.c b/reftable/iter.c
> index 2ecc52b336..2eee65bb1e 100644
> --- a/reftable/iter.c
> +++ b/reftable/iter.c
What are these lines with two-whitespace indent about? When sending
a patch purely for discussion (because the actual change may be iffy
or dangerous), we sometimes deliberately corrupt the patch not to
apply mechanically, but this patch does not seem to be such a
"request for discussion" patch.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] reftable/iter: fix undefined behavior in indexed_table_ref_iter_next
2026-01-04 10:22 ` Tsahi Elkayam
@ 2026-01-04 10:33 ` Tsahi Elkayam
0 siblings, 0 replies; 6+ messages in thread
From: Tsahi Elkayam @ 2026-01-04 10:33 UTC (permalink / raw)
To: Junio C Hamano; +Cc: git@vger•kernel.org, ps@pks•im
Hi Junio,
Thank you very much for your feedback. It is a great honor for me to receive a response from you.
I apologize for the formatting issues in my previous email. I am a new developer and still learning the community's workflow. English is not my native language, and I mistakenly added indentation when composing the email, which I now realize corrupted the patch.
I will send a corrected Version 2 (v2) of the patch shortly, ensuring that the format is preserved correctly.
Thank you for your patience and for the "lesson learned."
Best regards, Tsahi
Sent with Proton Mail secure email.
On Sunday, January 4th, 2026 at 12:22 PM, Tsahi Elkayam <Tsahi.Elkayam@protonmail•com> wrote:
>
>
> So I did messed up
> sorry lesson learned
> but still...
> wow very exciting
>
>
> Sent from Proton Mail for iOS.
>
> -------- Original Message --------
> On Sunday, 01/04/26 at 04:49 Junio C Hamano gitster@pobox•com wrote:
>
> Tsahi Elkayam Tsahi.Elkayam@protonmail•com writes:
>
> > The indexed_table_ref_iter_next() function accesses ref->value.val2
> > without first checking the ref's value_type. This is undefined behavior
> > when the ref is not of type REFTABLE_REF_VAL2.
> >
> > The correct pattern is already used in filtering_ref_iterator_next()
> > which checks value_type before accessing the appropriate union member.
> > Apply the same pattern here:
> >
> > - Check for REFTABLE_REF_VAL2 before accessing val2 members
> > - Add missing check for REFTABLE_REF_VAL1 to handle single-value refs
> >
> > This was marked with a "/* BUG */" comment indicating the issue was
> > known but not yet fixed.
> >
> > Signed-off-by: Tsahi Elkayam Tsahi.Elkayam@protonmail•com
> > ---
> > reftable/iter.c | 13 ++++++++-----
> > 1 file changed, 8 insertions(+), 5 deletions(-)
> >
> > diff --git a/reftable/iter.c b/reftable/iter.c
> > index 2ecc52b336..2eee65bb1e 100644
> > --- a/reftable/iter.c
> > +++ b/reftable/iter.c
>
>
> What are these lines with two-whitespace indent about? When sending
> a patch purely for discussion (because the actual change may be iffy
> or dangerous), we sometimes deliberately corrupt the patch not to
> apply mechanically, but this patch does not seem to be such a
> "request for discussion" patch.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-01-04 10:33 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-02 19:16 [PATCH] reftable/iter: fix undefined behavior in indexed_table_ref_iter_next Tsahi Elkayam
2026-01-03 7:35 ` Pushkar Singh
2026-01-04 10:13 ` Tsahi Elkayam
2026-01-04 2:49 ` Junio C Hamano
2026-01-04 10:22 ` Tsahi Elkayam
2026-01-04 10:33 ` Tsahi Elkayam
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox