##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

mpatch: avoid integer overflow in mpatch_decode (SEC)
Augie Fackler -
r38252:59837a16 stable
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -285,10 +285,15 b' int mpatch_decode(const char *bin, ssize'
285 lt->start = getbe32(bin + pos);
285 lt->start = getbe32(bin + pos);
286 lt->end = getbe32(bin + pos + 4);
286 lt->end = getbe32(bin + pos + 4);
287 lt->len = getbe32(bin + pos + 8);
287 lt->len = getbe32(bin + pos + 8);
288 lt->data = bin + pos + 12;
288 if (lt->start < 0 || lt->start > lt->end || lt->len < 0)
289 pos += 12 + lt->len;
290 if (lt->start > lt->end || lt->len < 0)
291 break; /* sanity check */
289 break; /* sanity check */
290 if (!safeadd(12, &pos)) {
291 break;
292 }
293 lt->data = bin + pos;
294 if (!safeadd(lt->len, &pos)) {
295 break;
296 }
292 lt++;
297 lt++;
293 }
298 }
294
299
General Comments 0
You need to be logged in to leave comments. Login now