upstream/mercurial-mirror Commit - r26591:04234431

parsers: fix infinite loop or out-of-bound read in fm1readmarkers (issue4888)...

Yuya Nishihara -

r26591:04234431 default

parent child

mercurial/parsers.c

0 +35 -3

              #define BUMPED_FIX 1
              #define USING_SHA_256 2
+             #define FM1_HEADER_SIZE (4 + 8 + 2 + 2 + 1 + 1 + 1)
              static PyObject *readshas(
              	const char *source, unsigned char num, Py_ssize_t hashwidth)
              	return list;
              }
-             static PyObject *fm1readmarker(const char *data, uint32_t *msize)
+             static PyObject *fm1readmarker(const char *databegin, const char *dataend,
+             			       uint32_t *msize)
              {
+             	const char *data = databegin;
              	const char *meta;
              	double mtime;
              	PyObject *metadata = NULL, *ret = NULL;
              	int i;
+             	if (data + FM1_HEADER_SIZE > dataend) {
+             		goto overflow;
+             	}
              	*msize = getbe32(data);
              	data += 4;
              	mtime = getbefloat64(data);
              	nparents = (unsigned char)(*data++);
              	nmetadata = (unsigned char)(*data++);
+             	if (databegin + *msize > dataend) {
+             		goto overflow;
+             	}
+             	dataend = databegin + *msize;  /* narrow down to marker size */
+             	if (data + hashwidth > dataend) {
+             		goto overflow;
+             	}
              	prec = PyString_FromStringAndSize(data, hashwidth);
              	data += hashwidth;
              	if (prec == NULL) {
              		goto bail;
              	}
+             	if (data + nsuccs * hashwidth > dataend) {
+             		goto overflow;
+             	}
              	succs = readshas(data, nsuccs, hashwidth);
              	if (succs == NULL) {
              		goto bail;
              	data += nsuccs * hashwidth;
              	if (nparents == 1 || nparents == 2) {
+             		if (data + nparents * hashwidth > dataend) {
+             			goto overflow;
+             		}
              		parents = readshas(data, nparents, hashwidth);
              		if (parents == NULL) {
              			goto bail;
              		parents = Py_None;
              	}
+             	if (data + 2 * nmetadata > dataend) {
+             		goto overflow;
+             	}
              	meta = data + (2 * nmetadata);
              	metadata = PyTuple_New(nmetadata);
              	if (metadata == NULL) {
              		PyObject *tmp, *left = NULL, *right = NULL;
              		Py_ssize_t leftsize = (unsigned char)(*data++);
              		Py_ssize_t rightsize = (unsigned char)(*data++);
+             		if (meta + leftsize + rightsize > dataend) {
+             			goto overflow;
+             		}
              		left = PyString_FromStringAndSize(meta, leftsize);
              		meta += leftsize;
              		right = PyString_FromStringAndSize(meta, rightsize);
              	}
              	ret = Py_BuildValue("(OOHO(di)O)", prec, succs, flags,
              			    metadata, mtime, (int)tz * 60, parents);
+             	goto bail;  /* return successfully */
+             overflow:
+             	PyErr_SetString(PyExc_ValueError, "overflow in obsstore");
              bail:
              	Py_XDECREF(prec);
              	Py_XDECREF(succs);
              static PyObject *fm1readmarkers(PyObject *self, PyObject *args) {
-             	const char *data;
+             	const char *data, *dataend;
              	Py_ssize_t datalen;
              	Py_ssize_t offset, stop;
              	PyObject *markers = NULL;
              	if (!PyArg_ParseTuple(args, "s#nn", &data, &datalen, &offset, &stop)) {
              		return NULL;
              	}
+             	dataend = data + datalen;
              	data += offset;
              	markers = PyList_New(0);
              	if (!markers) {
              	while (offset < stop) {
              		uint32_t msize;
              		int error;
-             		PyObject *record = fm1readmarker(data, &msize);
+             		PyObject *record = fm1readmarker(data, dataend, &msize);
              		if (!record) {
              			goto bail;
              		}

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages