upstream/mercurial-mirror Commit - r38250:0b208c13

mpatch: fix UB in int overflows in gather() (SEC)

Augie Fackler -

r38250:0b208c13 stable

parent child

mercurial/mpatch.c

0 +23 -4

@@ -109,17 +109,36 b' static int gather(struct mpatch_flist *d'
109	int postend, c, l;	109	int postend, c, l;
110		110
111	while (s != src->tail) {	111	while (s != src->tail) {
112	if (s->start + offset >= cut)	112	int soffset = s->start;
		113	if (!safeadd(offset, &soffset))
		114	break; /* add would overflow, oh well */
		115	if (soffset >= cut)
113	break; /* we've gone far enough */	116	break; /* we've gone far enough */
114		117
115	postend = offset + s->~~start~~ + s->~~len~~;	118	postend = offset;
		119	if (!safeadd(s->start, &postend) \|\|
		120	!safeadd(s->len, &postend)) {
		121	break;
		122	}
116	if (postend <= cut) {	123	if (postend <= cut) {
117	/* save this hunk */	124	/* save this hunk */
118	offset += s->start + s->len - s->end;	125	int tmp = s->start;
		126	if (!safesub(s->end, &tmp)) {
		127	break;
		128	}
		129	if (!safeadd(s->len, &tmp)) {
		130	break;
		131	}
		132	if (!safeadd(tmp, &offset)) {
		133	break; /* add would overflow, oh well */
		134	}
119	d++ = s++;	135	d++ = s++;
120	} else {	136	} else {
121	/* break up this hunk */	137	/* break up this hunk */
122	c = cut - ~~offset~~;	138	c = cut;
		139	if (!safesub(offset, &c)) {
		140	break;
		141	}
123	if (s->end < c)	142	if (s->end < c)
124	c = s->end;	143	c = s->end;
125	l = cut - offset - s->start;	144	l = cut - offset - s->start;

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages