# HG changeset patch
# User Martin von Zweigbergk <martinvonz@google.com>
# Date 2019-12-10 22:40:44
# Node ID a47ccdcce4f9a623746bef4dded54b7a2af5217a
# Parent  8377570a36a95ea7bd410d8863f3780d37d0527e

dirs: fix out-of-bounds access in Py3

The hack for mutating Python's variable-length integers that was
ported to py3 in cb3048746dae (dirs: port PyInt code to work on Python
3, 2016-10-08) was reading from ob_digit[1] instead of ob_digit[0] for
some reason. Space for ob_digit[1] would only be allocated for
integers larger than 30 bits, so we ended up writing to unallocated
memory. Also, we would write an integer that's 2^30 times too large,
so we would never free these integers.

Found by AddressSanitizer.

Differential Revision: https://phab.mercurial-scm.org/D7597

diff --git a/mercurial/cext/dirs.c b/mercurial/cext/dirs.c
--- a/mercurial/cext/dirs.c
+++ b/mercurial/cext/dirs.c
@@ -14,7 +14,7 @@
 #include "util.h"
 
 #ifdef IS_PY3K
-#define PYLONG_VALUE(o) ((PyLongObject *)o)->ob_digit[1]
+#define PYLONG_VALUE(o) ((PyLongObject *)o)->ob_digit[0]
 #else
 #define PYLONG_VALUE(o) PyInt_AS_LONG(o)
 #endif