upstream/mercurial-mirror Commit - r4358:11dc22eb

221

{

221

{

222

struct flist *l;

222

struct flist *l;

223

struct frag *lt;

223

struct frag *lt;

224

char *end = bin + len;

224

char *data = bin + 12, *end = bin + len;

225

char decode[12]; /* for dealing with alignment issues */

225

char decode[12]; /* for dealing with alignment issues */

226

227

/* assume worst case size, we won't have many of these lists */

227

/* assume worst case size, we won't have many of these lists */

231

232

lt = l->tail;

232

lt = l->tail;

233

234

while (~~bin~~ < end) {

234

while (data <= end) {

235

memcpy(decode, bin, 12);

235

memcpy(decode, bin, 12);

236

lt->start = ntohl(*(uint32_t *)decode);

236

lt->start = ntohl(*(uint32_t *)decode);

237

lt->end = ntohl(*(uint32_t *)(decode + 4));

237

lt->end = ntohl(*(uint32_t *)(decode + 4));

238

lt->len = ntohl(*(uint32_t *)(decode + 8));

238

lt->len = ntohl(*(uint32_t *)(decode + 8));

239

lt->data = bin + 12;

239

if (lt->start > lt->end)

240

bin += 12 + lt->len;

240

break; /* sanity check */

241

bin = data + lt->len;

242

if (bin < data)

243

break; /* big data + big (bogus) len can wrap around */

244

lt->data = data;

245

data = bin + 12;

241

lt++;

246

lt++;

242

}

247

}

243

248

367

{

372

{

368

long orig, start, end, len, outlen = 0, last = 0;

373

long orig, start, end, len, outlen = 0, last = 0;

369

int patchlen;

374

int patchlen;

370

char *bin, *binend;

375

char *bin, *binend, *data;

371

char decode[12]; /* for dealing with alignment issues */

376

char decode[12]; /* for dealing with alignment issues */

372

377

373

if (!PyArg_ParseTuple(args, "ls#", &orig, &bin, &patchlen))

378

if (!PyArg_ParseTuple(args, "ls#", &orig, &bin, &patchlen))

374

return NULL;

379

return NULL;

375

380

376

binend = bin + patchlen;

381

binend = bin + patchlen;

382

data = bin + 12;

377

383

378

while (~~bin~~ < binend) {

384

while (data <= binend) {

379

memcpy(decode, bin, 12);

385

memcpy(decode, bin, 12);

380

start = ntohl(*(uint32_t *)decode);

386

start = ntohl(*(uint32_t *)decode);

381

end = ntohl(*(uint32_t *)(decode + 4));

387

end = ntohl(*(uint32_t *)(decode + 4));

382

len = ntohl(*(uint32_t *)(decode + 8));

388

len = ntohl(*(uint32_t *)(decode + 8));

383

bin += 12 + len;

389

if (start > end)

390

break; /* sanity check */

391

bin = data + len;

392

if (bin < data)

393

break; /* big data + big (bogus) len can wrap around */

394

data = bin + 12;

384

outlen += start - last;

395

outlen += start - last;

385

last = end;

396

last = end;

386

outlen += len;

397

outlen += len;

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             {
             	struct flist *l;
             	struct frag *lt;
-            	char *end = bin + len;
+            	char *data = bin + 12, *end = bin + len;
             	char decode[12]; /* for dealing with alignment issues */
             	/* assume worst case size, we won't have many of these lists */
             	lt = l->tail;
-            	while (bin < end) {
+            	while (data <= end) {
             		memcpy(decode, bin, 12);
             		lt->start = ntohl(*(uint32_t *)decode);
             		lt->end = ntohl(*(uint32_t *)(decode + 4));
             		lt->len = ntohl(*(uint32_t *)(decode + 8));
-            		lt->data = bin + 12;
+            		if (lt->start > lt->end)
-            		bin += 12 + lt->len;
+            			break; /* sanity check */
+            		bin = data + lt->len;
+            		if (bin < data)
+            			break; /* big data + big (bogus) len can wrap around */
+            		lt->data = data;
+            		data = bin + 12;
             		lt++;
             	}
             {
             	long orig, start, end, len, outlen = 0, last = 0;
             	int patchlen;
-            	char *bin, *binend;
+            	char *bin, *binend, *data;
             	char decode[12]; /* for dealing with alignment issues */
             	if (!PyArg_ParseTuple(args, "ls#", &orig, &bin, &patchlen))
             		return NULL;
             	binend = bin + patchlen;
+            	data = bin + 12;
-            	while (bin < binend) {
+            	while (data <= binend) {
             		memcpy(decode, bin, 12);
             		start = ntohl(*(uint32_t *)decode);
             		end = ntohl(*(uint32_t *)(decode + 4));
             		len = ntohl(*(uint32_t *)(decode + 8));
-            		bin += 12 + len;
+            		if (start > end)
+            			break; /* sanity check */
+            		bin = data + len;
+            		if (bin < data)
+            			break; /* big data + big (bogus) len can wrap around */
+            		data = bin + 12;
             		outlen += start - last;
             		last = end;
             		outlen += len;