##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

Fix segfaults when parsing bdiff hunks in mpatch.decode() and .patchedsize()...
Thomas Arendsen Hein -
r4358:11dc22eb default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -221,7 +221,7 b' static struct flist *decode(char *bin, i'
221 221 {
222 222 struct flist *l;
223 223 struct frag *lt;
224 char *end = bin + len;
224 char *data = bin + 12, *end = bin + len;
225 225 char decode[12]; /* for dealing with alignment issues */
226 226
227 227 /* assume worst case size, we won't have many of these lists */
@@ -231,13 +231,18 b' static struct flist *decode(char *bin, i'
231 231
232 232 lt = l->tail;
233 233
234 while (bin < end) {
234 while (data <= end) {
235 235 memcpy(decode, bin, 12);
236 236 lt->start = ntohl(*(uint32_t *)decode);
237 237 lt->end = ntohl(*(uint32_t *)(decode + 4));
238 238 lt->len = ntohl(*(uint32_t *)(decode + 8));
239 lt->data = bin + 12;
240 bin += 12 + lt->len;
239 if (lt->start > lt->end)
240 break; /* sanity check */
241 bin = data + lt->len;
242 if (bin < data)
243 break; /* big data + big (bogus) len can wrap around */
244 lt->data = data;
245 data = bin + 12;
241 246 lt++;
242 247 }
243 248
@@ -367,20 +372,26 b' patchedsize(PyObject *self, PyObject *ar'
367 372 {
368 373 long orig, start, end, len, outlen = 0, last = 0;
369 374 int patchlen;
370 char *bin, *binend;
375 char *bin, *binend, *data;
371 376 char decode[12]; /* for dealing with alignment issues */
372 377
373 378 if (!PyArg_ParseTuple(args, "ls#", &orig, &bin, &patchlen))
374 379 return NULL;
375 380
376 381 binend = bin + patchlen;
382 data = bin + 12;
377 383
378 while (bin < binend) {
384 while (data <= binend) {
379 385 memcpy(decode, bin, 12);
380 386 start = ntohl(*(uint32_t *)decode);
381 387 end = ntohl(*(uint32_t *)(decode + 4));
382 388 len = ntohl(*(uint32_t *)(decode + 8));
383 bin += 12 + len;
389 if (start > end)
390 break; /* sanity check */
391 bin = data + len;
392 if (bin < data)
393 break; /* big data + big (bogus) len can wrap around */
394 data = bin + 12;
384 395 outlen += start - last;
385 396 last = end;
386 397 outlen += len;
General Comments 0
You need to be logged in to leave comments. Login now