| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
| |
If a tag is more than 2 characters from the beginning of the comment the
tag value offset will be wrong. #1702 gives an example where the tag
line starts with `;;` and the tag value thus becomes `: Bar` because of
this bug.
The use `index` in the offset calulation seems to be a lucky coincidence
that works in the common case: "; tag: value"
Fixes #1702
|
|
|
|
| |
Fixes #1753
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is possible to create a stack overflow by giving an option that is
longer than the buffer that is used during option parsing because the
length of the input string is not checked.
Prevent the issue by always checking the input string length and
discarding options that does not fit in the buffer as invalid.
This issue has been assigned CVE-2017-12481.
Thanks to Gwan Yeong Kim for reporting this issue.
Fixes #1222
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is possible to create a stack overflow by giving a date that is
longer than the buffer that is used during date parsing because the
length of the input string is not checked. The `VERIFY` macro is only
enabled when debug-mode is enabled and the `--verify-memory` argument is
used.
Prevent the issue by always checking the input string length and
discarding dates that does not fit in the buffer as invalid.
This issue has been assigned CVE-2017-12482.
Fixes #1224
|
|\
| |
| | |
Move garbage-input.dat to test case using it
|
| | |
|
|\ \
| | |
| | | |
Do not set dependencies for target check
|
| |/
| |
| |
| |
| |
| | |
The set_target_properties() commands themselves do not cause the tests
to run if the target check is made, and as the target check executes
ctest, all tests will be run anyway.
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All-null transactions (i.e. a transaction where all postings have a null
amount) are discarded during parsing and the `xact` object is free'd.
But if the transaction contains a deferred posting this results in a
use-after-free vulnerability because a reference to the deferred posting
is stored in the account object which is later read when deferred
postings are applied after parsing is finished.
Ignore null deferred postings to prevent this – they should not have any
effect any way.
Thanks to Cory Duplantis for reporting this issue and providing an
initial analysis.
Ref TALOS-2017-0304, CVE-2017-2808
Fixes #1723
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cory Duplantis reported that "A specially crafted journal file can
cause [an] integer underflow resulting in code execution". Cory
provided this test case:
Expenses:Food:Groceries $ 37.50 ; ] [=2004/01/01]
Note the ] that comes before [ after the ;.
This issue was reported and described in great detail by Cory Duplantis
of Cisco Talos. This issue is known as TALOS-2017-0303 and has been
assigned CVE-2017-2807. Cory's description can be found at
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0303
Fixes #1722
|
|
|
|
|
| |
Add a test case for issue #1703 which John Wiegley fixed in commit
56025cde ("Don't attempt to invert a value if it's already zero").
|
|\ |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes #1626.
The tokenizer eagerly classifies 4-digit integers as TOK_A_YEAR
tokens. In some contexts such as "every 1000 years", this causes
errors.
I think the tokenizer does not have enough information available to
distinguish between integers and years.
After this patch, the tokenizer will always classify integers as
TOK_INT tokens. The "has 4 digits" heuristic to determine if an
integer is a year is moved to the place where it's actually
needed (and it can be slightly more generic there, too).
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes issue #1127. In my understanding, PR #552 was meant to fix
this, but was incomplete.
Without this patch, automated transactions are invisible to
assertions.
This patch fixes this by adding a flag to the account to tell it that
there is a new posting, analogous to the behavior of finalize().
I dug up issue #1127 too late to find that this is the same solution
proposed by @tbm. Although I wrote this independently, credit goes to
Martin Michlmayr (@tbm).
|
| | |
|
|\ \
| | |
| | | |
Add support for --prepend-format in accounts command
|
| | |
| | |
| | |
| | |
| | | |
Add support for the `--prepend-format` and `--prepend-width` options in
the `accounts` command.
|
|\ \ \
| | | |
| | | | |
Fix handling of edge cases in trim function
|
| |/ /
| | |
| | |
| | | |
Fixes #520
|
|/ /
| |
| |
| | |
[ci skip]
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
`changed_value_posts::create_accounts()` reuses the `<Revalued>` account
from `display_filter`, but when clearing `changed_value_posts`
`create_accounts()` would be called before the account had been
recreated by `display_filter_posts`. This results in a segfault when
using the --group-by option.
I'm not sure if `display_filter_posts` has the same problem but I
reordered the calls there too for good measure.
|
|\ \
| | |
| | | |
Fix bug where .total used in value exprs breaks totals
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Re-initialize (to VOID) totals for the account and its ancestors on adding
postings. Otherwise the cache intended for use by recursive calls of C++
function total() in computing family (i.e. account hierarchy) totals is
incorrectly retained from one top-level call to the next, causing
inconsistent and broken behaviour.
* Re-initialize (to false) calculated and gathered. Otherwise we won't
e.g. recalculate stale totals for ancestor accounts (e.g. won't recalculate
Assets:Savings total if Assets:Savings changes via a posting).
Although the value expression total function is used by ledger itself in
computing totals, this bug would only appear on use of .total in user-supplied
value expressions computed *during parsing* of ledger files, rather than after
parsing (I believe ledger only ever calls it for internal purposes after
parsing is complete).
It is possible this bug also affected other functions than total (perhaps even
in circumstances other than analagous to that described in the preceding
paragraph). I have not checked that.
|
|\ \ \
| |/ /
|/| | |
Fix Bug 1182: Error message for parse failure after '='
|
| | | |
|
| | |
| | |
| | |
| | | |
fix test
|
|\ \ \
| | | |
| | | | |
Add regress test for bugs 550 and 584
|
| | | | |
|
|\ \ \ \
| | | | |
| | | | | |
Add regress test for bug 1055
|
| |/ / / |
|
|/ / / |
|
|/ /
| |
| |
| | |
[ci skip]
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| | |
To verify that no ANSI color codes are printed when the --force-color
option is not set.
|
| | |
|
| |
| |
| |
| | |
This was reported as Bug #1109
|
| | |
|
|\ \
| | |
| | | |
Fix regress test 383 on Windows
|
| | |
| | |
| | |
| | | |
%g is not available in Windows strftime. See documentation at https://msdn.microsoft.com/en-us/library/fe06s4ak.aspx
|
|\ \ \
| |/ /
|/| | |
Fix build under Cygwin
|
| | | |
|
|/ /
| |
| |
| |
| |
| | |
With this change, 97% of the tests pass. See the build on appveyor for more info: https://ci.appveyor.com/project/Evan/ledger/build/build-49
I'll follow up with another PR to fix some of the remaining broken tests
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Appveyor is a continuous integration platform for Windows that is free for open source projects. See latest test build here: https://ci.appveyor.com/project/Evan/ledger/build/artifacts
* Changed WIN32 to _WIN32 because this article http://nadeausoftware.com/articles/2012/01/c_c_tip_how_use_compiler_predefined_macros_detect_operating_system claims that it is defined by the greatest number of compilers.
* Modified HAVE_ISATTY and other system defines so that system.hh compiles when cmake fails to find the relevant function.
* Add missing include in test/unit/t_value.cc
Almost all tests fail when you run them on msys32. I will address that in a future PR.
|
| | |
|