upstream/mercurial-mirror Commit - r20167:09e41ac6

mpatch: rewrite pointer overflow checks

Matt Mackall -

r20167:09e41ac6 stable

parent child

mercurial/mpatch.c

0 +16 -25

             {
             	struct flist *l;
             	struct frag *lt;
-            	const char *data = bin + 12, *end = bin + len;
+            	int pos = 0;
             	/* assume worst case size, we won't have many of these lists */
             	l = lalloc(len / 12);
             	lt = l->tail;
-            	while (data <= end) {
+            	while (pos >= 0 && pos < len) {
-            		lt->start = getbe32(bin);
+            		lt->start = getbe32(bin + pos);
-            		lt->end = getbe32(bin + 4);
+            		lt->end = getbe32(bin + pos + 4);
-            		lt->len = getbe32(bin + 8);
+            		lt->len = getbe32(bin + pos + 8);
             		if (lt->start > lt->end)
             			break; /* sanity check */
-            		bin = data + lt->len;
+            		lt->data = bin + pos + 12;
-            		if (bin < data)
+            		pos += 12 + lt->len;
-            			break; /* big data + big (bogus) len can wrap around */
-            		lt->data = data;
-            		data = bin + 12;
             		lt++;
             	}
-            	if (bin != end) {
+            	if (pos != len) {
             		if (!PyErr_Occurred())
             			PyErr_SetString(mpatch_Error, "patch cannot be decoded");
             		lfree(l);
             static PyObject *
             patchedsize(PyObject *self, PyObject *args)
             {
-            	long orig, start, end, len, outlen = 0, last = 0;
+            	long orig, start, end, len, outlen = 0, last = 0, pos = 0;
             	Py_ssize_t patchlen;
-            	char *bin, *binend, *data;
+            	char *bin;
             	if (!PyArg_ParseTuple(args, "ls#", &orig, &bin, &patchlen))
             		return NULL;
-            	binend = bin + patchlen;
+            	while (pos >= 0 && pos < patchlen) {
-            	data = bin + 12;
+            		start = getbe32(bin + pos);
+            		end = getbe32(bin + pos + 4);
-            	while (data <= binend) {
+            		len = getbe32(bin + pos + 8);
-            		start = getbe32(bin);
-            		end = getbe32(bin + 4);
-            		len = getbe32(bin + 8);
             		if (start > end)
             			break; /* sanity check */
-            		bin = data + len;
+            		pos += 12 + len;
-            		if (bin < data)
-            			break; /* big data + big (bogus) len can wrap around */
-            		data = bin + 12;
             		outlen += start - last;
             		last = end;
             		outlen += len;
             	}
-            	if (bin != binend) {
+            	if (pos != patchlen) {
             		if (!PyErr_Occurred())
             			PyErr_SetString(mpatch_Error, "patch cannot be decoded");
             		return NULL;

mercurial/parsers.c

0 +14 -20

             {
             	PyObject *dmap, *cmap, *parents = NULL, *ret = NULL;
             	PyObject *fname = NULL, *cname = NULL, *entry = NULL;
-            	char state, *str, *cur, *end, *cpos;
+            	char state, *cur, *str, *cpos;
             	int mode, size, mtime;
             	unsigned int flen;
-            	int len;
+            	int len, pos = 40;
             	if (!PyArg_ParseTuple(args, "O!O!s#:parse_dirstate",
             			      &PyDict_Type, &dmap,
             		goto quit;
             	/* read filenames */
-            	cur = str + 40;
+            	while (pos >= 40 && pos < len) {
-            	end = str + len;
+            		cur = str + pos;
-            	while (cur < end - 17) {
             		/* unpack header */
             		state = *cur;
             		mode = getbe32(cur + 1);
             		size = getbe32(cur + 5);
             		mtime = getbe32(cur + 9);
             		flen = getbe32(cur + 13);
+            		pos += 17;
             		cur += 17;
-            		if (cur + flen > end || cur + flen < cur) {
+            		if (flen > len - pos || flen < 0) {
             			PyErr_SetString(PyExc_ValueError, "overflow in dirstate");
             			goto quit;
             		}
             			    PyDict_SetItem(dmap, fname, entry) == -1)
             				goto quit;
             		}
-            		cur += flen;
             		Py_DECREF(fname);
             		Py_DECREF(entry);
             		fname = cname = entry = NULL;
+            		pos += flen;
             	}
             	ret = parents;
             static long inline_scan(indexObject *self, const char **offsets)
             {
             	const char *data = PyString_AS_STRING(self->data);
-            	const char *end = data + PyString_GET_SIZE(self->data);
+            	Py_ssize_t pos = 0;
+            	Py_ssize_t end = PyString_GET_SIZE(self->data);
             	long incr = v1_hdrsize;
             	Py_ssize_t len = 0;
-            	while (data + v1_hdrsize <= end) {
+            	while (pos + v1_hdrsize <= end && pos >= 0) {
             		uint32_t comp_len;
-            		const char *old_data;
             		/* 3rd element of header is length of compressed inline data */
-            		comp_len = getbe32(data + 8);
+            		comp_len = getbe32(data + pos + 8);
             		incr = v1_hdrsize + comp_len;
-            		if (incr < v1_hdrsize)
-            			break;
             		if (offsets)
-            			offsets[len] = data;
+            			offsets[len] = data + pos;
             		len++;
-            		old_data = data;
+            		pos += incr;
-            		data += incr;
-            		if (data <= old_data)
-            			break;
             	}
-            	if (data != end && data + v1_hdrsize != end) {
+            	if (pos != end) {
             		if (!PyErr_Occurred())
             			PyErr_SetString(PyExc_ValueError, "corrupt index file");
             		return -1;

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages