upstream/mercurial-mirror Commit - r4377:4759da3e

225

{

225

{

226

struct flist *l;

226

struct flist *l;

227

struct frag *lt;

227

struct frag *lt;

228

char *end = bin + len;

228

char *data = bin + 12, *end = bin + len;

229

char decode[12]; /* for dealing with alignment issues */

229

char decode[12]; /* for dealing with alignment issues */

230

231

/* assume worst case size, we won't have many of these lists */

231

/* assume worst case size, we won't have many of these lists */

235

236

lt = l->tail;

236

lt = l->tail;

237

238

while (~~bin~~ < end) {

238

while (data <= end) {

239

memcpy(decode, bin, 12);

239

memcpy(decode, bin, 12);

240

lt->start = ntohl(*(uint32_t *)decode);

240

lt->start = ntohl(*(uint32_t *)decode);

241

lt->end = ntohl(*(uint32_t *)(decode + 4));

241

lt->end = ntohl(*(uint32_t *)(decode + 4));

242

lt->len = ntohl(*(uint32_t *)(decode + 8));

242

lt->len = ntohl(*(uint32_t *)(decode + 8));

243

lt->data = bin + 12;

243

if (lt->start > lt->end)

244

bin += 12 + lt->len;

244

break; /* sanity check */

245

bin = data + lt->len;

246

if (bin < data)

247

break; /* big data + big (bogus) len can wrap around */

248

lt->data = data;

249

data = bin + 12;

245

lt++;

250

lt++;

246

}

251

}

247

252

371

{

376

{

372

long orig, start, end, len, outlen = 0, last = 0;

377

long orig, start, end, len, outlen = 0, last = 0;

373

int patchlen;

378

int patchlen;

374

char *bin, *binend;

379

char *bin, *binend, *data;

375

char decode[12]; /* for dealing with alignment issues */

380

char decode[12]; /* for dealing with alignment issues */

376

381

377

if (!PyArg_ParseTuple(args, "ls#", &orig, &bin, &patchlen))

382

if (!PyArg_ParseTuple(args, "ls#", &orig, &bin, &patchlen))

378

return NULL;

383

return NULL;

379

384

380

binend = bin + patchlen;

385

binend = bin + patchlen;

386

data = bin + 12;

381

387

382

while (~~bin~~ < binend) {

388

while (data <= binend) {

383

memcpy(decode, bin, 12);

389

memcpy(decode, bin, 12);

384

start = ntohl(*(uint32_t *)decode);

390

start = ntohl(*(uint32_t *)decode);

385

end = ntohl(*(uint32_t *)(decode + 4));

391

end = ntohl(*(uint32_t *)(decode + 4));

386

len = ntohl(*(uint32_t *)(decode + 8));

392

len = ntohl(*(uint32_t *)(decode + 8));

387

bin += 12 + len;

393

if (start > end)

394

break; /* sanity check */

395

bin = data + len;

396

if (bin < data)

397

break; /* big data + big (bogus) len can wrap around */

398

data = bin + 12;

388

outlen += start - last;

399

outlen += start - last;

389

last = end;

400

last = end;

390

outlen += len;

401

outlen += len;

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             {
             	struct flist *l;
             	struct frag *lt;
-            	char *end = bin + len;
+            	char *data = bin + 12, *end = bin + len;
             	char decode[12]; /* for dealing with alignment issues */
             	/* assume worst case size, we won't have many of these lists */
             	lt = l->tail;
-            	while (bin < end) {
+            	while (data <= end) {
             		memcpy(decode, bin, 12);
             		lt->start = ntohl(*(uint32_t *)decode);
             		lt->end = ntohl(*(uint32_t *)(decode + 4));
             		lt->len = ntohl(*(uint32_t *)(decode + 8));
-            		lt->data = bin + 12;
+            		if (lt->start > lt->end)
-            		bin += 12 + lt->len;
+            			break; /* sanity check */
+            		bin = data + lt->len;
+            		if (bin < data)
+            			break; /* big data + big (bogus) len can wrap around */
+            		lt->data = data;
+            		data = bin + 12;
             		lt++;
             	}
             {
             	long orig, start, end, len, outlen = 0, last = 0;
             	int patchlen;
-            	char *bin, *binend;
+            	char *bin, *binend, *data;
             	char decode[12]; /* for dealing with alignment issues */
             	if (!PyArg_ParseTuple(args, "ls#", &orig, &bin, &patchlen))
             		return NULL;
             	binend = bin + patchlen;
+            	data = bin + 12;
-            	while (bin < binend) {
+            	while (data <= binend) {
             		memcpy(decode, bin, 12);
             		start = ntohl(*(uint32_t *)decode);
             		end = ntohl(*(uint32_t *)(decode + 4));
             		len = ntohl(*(uint32_t *)(decode + 8));
-            		bin += 12 + len;
+            		if (start > end)
+            			break; /* sanity check */
+            		bin = data + len;
+            		if (bin < data)
+            			break; /* big data + big (bogus) len can wrap around */
+            		data = bin + 12;
             		outlen += start - last;
             		last = end;
             		outlen += len;