upstream/mercurial-mirror Commit - r38252:59837a16

mpatch: avoid integer overflow in mpatch_decode (SEC)

Augie Fackler -

r38252:59837a16 stable

parent child

mercurial/mpatch.c

0 +8 -3

              		lt->start = getbe32(bin + pos);
              		lt->end = getbe32(bin + pos + 4);
              		lt->len = getbe32(bin + pos + 8);
-             		lt->data = bin + pos + 12;
-             		pos += 12 + lt->len;
-             		if (lt->start > lt->end || lt->len < 0)
+             		if (lt->start < 0 || lt->start > lt->end || lt->len < 0)
              			break; /* sanity check */
+             		if (!safeadd(12, &pos)) {
+             			break;
+             		}
+             		lt->data = bin + pos;
+             		if (!safeadd(lt->len, &pos)) {
+             			break;
+             		}
              		lt++;
              	}

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages