A tag object which lacks newlines won't be parsed correctly. Git fails to detect this error and crashes due to a NULL deref:
$ git archive 1.0.0 Segmentation fault (core dumped) $ git checkout 1.0.0 Segmentation fault (core dumped) $ See the attached tarball for a reproduction repository. Also mirrored at https://stsp.name/git-checkout-tag-segv-repo.tgz With the patch below: $ git checkout 1.0.0 fatal: reference is not a tree: 1.0.0 $ git archive 1.0.0 fatal: not a tree object: a99665eea5ee50171b5b7249880aa2ae35e35823 $ diff --git a/tree.c b/tree.c index 4720945e6a..92d8bd57a3 100644 --- a/tree.c +++ b/tree.c @@ -252,9 +252,11 @@ struct tree *parse_tree_indirect(const struct object_id *oid) return (struct tree *) obj; else if (obj->type == OBJ_COMMIT) obj = &(get_commit_tree(((struct commit *)obj))->object); - else if (obj->type == OBJ_TAG) + else if (obj->type == OBJ_TAG) { obj = ((struct tag *) obj)->tagged; - else + if (!obj) + return NULL; + } else return NULL; if (!obj->parsed) parse_object(the_repository, &obj->oid);
git-checkout-tag-segv-repo.tgz
Description: application/tar-gz
