upstream/mercurial-mirror Commit - r38490:9c5ced52

mpatch: avoid integer overflow in combine() (SEC)...

Augie Fackler -

r38490:9c5ced52 4.6.1 stable

parent child

mercurial/mpatch.c

0 +13 -3

             			/* insert new hunk */
             			ct = c->tail;
-            			ct->start = bh->start - offset;
+            			ct->start = bh->start;
-            			ct->end = bh->end - post;
+            			ct->end = bh->end;
+            			if (!safesub(offset, &(ct->start)) ||
+            			    !safesub(post, &(ct->end))) {
+            				/* It was already possible to exit
+            				 * this function with a return value
+            				 * of NULL before the safesub()s were
+            				 * added, so this should be fine. */
+            				mpatch_lfree(c);
+            				c = NULL;
+            				goto done;
+            			}
             			ct->len = bh->len;
             			ct->data = bh->data;
             			c->tail++;
             		memcpy(c->tail, a->head, sizeof(struct mpatch_frag) * lsize(a));
             		c->tail += lsize(a);
             	}
+            done:
             	mpatch_lfree(a);
             	mpatch_lfree(b);
             	return c;

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages