##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

parsers.c: fix integer overflows...
Benoit Boissinot -
r7174:4da87407 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -164,7 +164,8 b' static PyObject *parse_dirstate(PyObject'
164 PyObject *dmap, *cmap, *parents = NULL, *ret = NULL;
164 PyObject *dmap, *cmap, *parents = NULL, *ret = NULL;
165 PyObject *fname = NULL, *cname = NULL, *entry = NULL;
165 PyObject *fname = NULL, *cname = NULL, *entry = NULL;
166 char *str, *cur, *end, *cpos;
166 char *str, *cur, *end, *cpos;
167 int state, mode, size, mtime, flen;
167 int state, mode, size, mtime;
168 unsigned int flen;
168 int len;
169 int len;
169 char decode[16]; /* for alignment */
170 char decode[16]; /* for alignment */
170
171
@@ -195,8 +196,10 b' static PyObject *parse_dirstate(PyObject'
195 mtime = ntohl(*(uint32_t *)(decode + 8));
196 mtime = ntohl(*(uint32_t *)(decode + 8));
196 flen = ntohl(*(uint32_t *)(decode + 12));
197 flen = ntohl(*(uint32_t *)(decode + 12));
197 cur += 17;
198 cur += 17;
198 if (cur + flen > end)
199 if (flen > end - cur) {
200 PyErr_SetString(PyExc_ValueError, "overflow in dirstate");
199 goto quit;
201 goto quit;
202 }
200
203
201 entry = Py_BuildValue("ciii", state, mode, size, mtime);
204 entry = Py_BuildValue("ciii", state, mode, size, mtime);
202 PyObject_GC_UnTrack(entry); /* don't waste time with this */
205 PyObject_GC_UnTrack(entry); /* don't waste time with this */
@@ -294,6 +297,8 b' static int _parse_index_ng (const char *'
294 const char *end = data + size;
297 const char *end = data + size;
295
298
296 while (data < end) {
299 while (data < end) {
300 unsigned int step;
301
297 offset_flags = ntohl(*((uint32_t *) (data + 4)));
302 offset_flags = ntohl(*((uint32_t *) (data + 4)));
298 if (n == 0) /* mask out version number for the first entry */
303 if (n == 0) /* mask out version number for the first entry */
299 offset_flags &= 0xFFFF;
304 offset_flags &= 0xFFFF;
@@ -325,10 +330,13 b' static int _parse_index_ng (const char *'
325 } else
330 } else
326 PyList_SET_ITEM(index, n, entry); /* steals reference */
331 PyList_SET_ITEM(index, n, entry); /* steals reference */
327
332
328 data += 64 + (inlined ? comp_len : 0);
329 n++;
333 n++;
334 step = 64 + (inlined ? comp_len : 0);
335 if (end - data < step)
336 break;
337 data += step;
330 }
338 }
331 if (data > end) {
339 if (data != end) {
332 if (!PyErr_Occurred())
340 if (!PyErr_Occurred())
333 PyErr_SetString(PyExc_ValueError, "corrupt index file");
341 PyErr_SetString(PyExc_ValueError, "corrupt index file");
334 return 0;
342 return 0;
General Comments 0
You need to be logged in to leave comments. Login now