slide_hash knowingly reads (possibly) uninitialised memory, see comment
lower down about prev[n] potentially being garbage. In this case, the
result is never used - so we don't care about MSAN complaining about
this read.
By adding the no_sanitize("memory") attribute, clients of zlib won't
see this (unnecessary) error when building and running with
MemorySanitizer. An alternative approach is for clients to build zlib
with -fsanitize-ignorelist=... where the ignorelist contains something
like 'fun:slide_hash'. But that's more work and needs to be redone
for any and all CI systems running a given project with MSAN. Adding
this annotation to zlib's sources is overall more convenient - but
also won't affect non-MSAN builds.
This specific issue was found while running git's test suite, but has
also been reported by other clients, see e.g. #518.
This change:
* Initializes a few variables that were being read before being
initialized.
* Includes https://github.com/madler/zlib/pull/393. As such,
it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.
We currently use `FILE(GLOB ...)` in most places to find source and
header files. This is problematic in that the order of files returned
depends on the operating system's directory iteration order and may thus
not be deterministic. As a result, we link object files in unspecified
order, which may cause the linker to emit different code across runs.
Fix this issue by sorting all code used as input to the libgit2 library
to improve the reliability of reproducible builds.
While our contribution guide tries to make clear the licenses that apply
to libgit2, it does not make clear that different licenses apply to our
bundled dependencies. Make this clear by listing each dependency
together with the licenses that they are governed by. Furthermore,
bundle the complete license texts next to the code they apply to.
The current version of zlib bundled with libgit2 is version 1.2.8. This
version has several CVEs assigned:
- CVE-2016-9843
- CVE-2016-9841
- CVE-2016-9842
- CVE-2016-9840
Upgrade the bundled version to the current release 1.2.11, which has
these vulnerabilities fixes.
Our bundled deps are being built as simple static libraries which are
then linked into the libgit2 library via `TARGET_LINK_LIBRARIES`. While
this works for a dynamically built libgit2 library, using this function
to link two static libraries does not have the expected outcome of
merging those static libraries into one big library. This leads to
symbols of our bundled deps being undefined in the resulting libgit2
archive.
As we have bumped our minimum CMake version to 2.8.11, we can now easily
make use of object libraries for our bundled dependencies. So build
instructions are still self-contained inside of the dependency
directories and the resulting object libraries can just be added to the
LIBGIT2_OBJECTS list, which will cause them to be linked into the final
resulting static library. This fixes the issue of undefined symbols.
The zlib dependency includes "common.h" inside of the "zconf.h" header
to make available some type declarations like e.g. git_off_t. Including
the "common.h" header does pull in quite a lot of other headers though,
which are not required at all. Instead, we can just include our public
"git2/types.h" header, which is much more limited in its scope but still
provides everything required for "zconf.h".
This fix eases the transition later on to use a separate "features.h"
header instead of defines. As we have to generate the "features.h"
header, we put it in the build directory and add an include directory.
As we are splitting out building of dependencies into subdirectories,
this would mean that the zlib dependency needs to be aware of the parent
project's build directory, which is unfortunate. By including
"git2/types.h", we avoid this problem.
I don't know if this is good or bad. This lets libgit2 compile cleanly
on any platforms without any external dependencies, but adds a little
bit of bloat...
Let's test this out and see what happens.
