##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

parsers.c: fix integer overflows...
Benoit Boissinot -
r7174:4da87407 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -164,7 +164,8 b' static PyObject *parse_dirstate(PyObject'
164 164 PyObject *dmap, *cmap, *parents = NULL, *ret = NULL;
165 165 PyObject *fname = NULL, *cname = NULL, *entry = NULL;
166 166 char *str, *cur, *end, *cpos;
167 int state, mode, size, mtime, flen;
167 int state, mode, size, mtime;
168 unsigned int flen;
168 169 int len;
169 170 char decode[16]; /* for alignment */
170 171
@@ -195,8 +196,10 b' static PyObject *parse_dirstate(PyObject'
195 196 mtime = ntohl(*(uint32_t *)(decode + 8));
196 197 flen = ntohl(*(uint32_t *)(decode + 12));
197 198 cur += 17;
198 if (cur + flen > end)
199 if (flen > end - cur) {
200 PyErr_SetString(PyExc_ValueError, "overflow in dirstate");
199 201 goto quit;
202 }
200 203
201 204 entry = Py_BuildValue("ciii", state, mode, size, mtime);
202 205 PyObject_GC_UnTrack(entry); /* don't waste time with this */
@@ -294,6 +297,8 b' static int _parse_index_ng (const char *'
294 297 const char *end = data + size;
295 298
296 299 while (data < end) {
300 unsigned int step;
301
297 302 offset_flags = ntohl(*((uint32_t *) (data + 4)));
298 303 if (n == 0) /* mask out version number for the first entry */
299 304 offset_flags &= 0xFFFF;
@@ -325,10 +330,13 b' static int _parse_index_ng (const char *'
325 330 } else
326 331 PyList_SET_ITEM(index, n, entry); /* steals reference */
327 332
328 data += 64 + (inlined ? comp_len : 0);
329 333 n++;
334 step = 64 + (inlined ? comp_len : 0);
335 if (end - data < step)
336 break;
337 data += step;
330 338 }
331 if (data > end) {
339 if (data != end) {
332 340 if (!PyErr_Occurred())
333 341 PyErr_SetString(PyExc_ValueError, "corrupt index file");
334 342 return 0;
General Comments 0
You need to be logged in to leave comments. Login now