upstream/mercurial-mirror Commit - r40848:9cdd525d

revlog: fix out-of-bounds access by negative parents read from revlog (SEC)...

Yuya Nishihara -

r40848:9cdd525d stable

parent child

mercurial/cext/revlog.c

0 +7 -1

             	return (const char *)(self->buf.buf) + pos * v1_hdrsize;
             }
+            /*
+             * Get parents of the given rev.
+             *
+             * The specified rev must be valid and must not be nullrev. A returned
+             * parent revision may be nullrev, but is guaranteed to be in valid range.
+             */
             static inline int index_get_parents(indexObject *self, Py_ssize_t rev,
             				    int *ps, int maxrev)
             {
             	}
             	/* If index file is corrupted, ps[] may point to invalid revisions. So
             	 * there is a risk of buffer overflow to trust them unconditionally. */
-            	if (ps[0] > maxrev || ps[1] > maxrev) {
+            	if (ps[0] < -1 || ps[0] > maxrev || ps[1] < -1 || ps[1] > maxrev) {
             		PyErr_SetString(PyExc_ValueError, "parent out of range");
             		return -1;
             	}

tests/test-parseindex.t

0 +19 -2

               $ cd invalidparent
               $ hg clone --pull -q --config phases.publish=False ../a limit
+              $ hg clone --pull -q --config phases.publish=False ../a neglimit
               $ hg clone --pull -q --config phases.publish=False ../a segv
-              $ rm -R limit/.hg/cache segv/.hg/cache
+              $ rm -R limit/.hg/cache neglimit/.hg/cache segv/.hg/cache
               $ "$PYTHON" <<EOF
               > data = open("limit/.hg/store/00changelog.i", "rb").read()
-              > for n, p in [(b'limit', b'\0\0\0\x02'), (b'segv', b'\0\x01\0\0')]:
+              > poisons = [
+              >     (b'limit', b'\0\0\0\x02'),
+              >     (b'neglimit', b'\xff\xff\xff\xfe'),
+              >     (b'segv', b'\0\x01\0\0'),
+              > ]
+              > for n, p in poisons:
               >     # corrupt p1 at rev0 and p2 at rev1
               >     d = data[:24] + p + data[28:127 + 28] + p + data[127 + 32:]
               >     open(n + b"/.hg/store/00changelog.i", "wb").write(d)
 1        1       -1    base         63         62         63   1.01613        63         0    0.00000
 2        1       -1    base         66         65         66   1.01538        66         0    0.00000
+              $ hg -R neglimit debugrevlogindex -f1 -c
+                 rev flag     size   link     p1     p2       nodeid
+0000       62      0     -2     -1 7c31755bf9b5
+0000       65      1      0     -2 26333235a41c
               $ hg -R segv debugrevlogindex -f1 -c
                  rev flag     size   link     p1     p2       nodeid
 0000       62      0  65536     -1 7c31755bf9b5
               index_headrevs: parent out of range
               find_gca_candidates: parent out of range
               find_deepest: parent out of range
+              $ "$PYTHON" test.py neglimit/.hg/store
+              reachableroots: parent out of range
+              compute_phases_map_sets: parent out of range
+              index_headrevs: parent out of range
+              find_gca_candidates: parent out of range
+              find_deepest: parent out of range
               $ "$PYTHON" test.py segv/.hg/store
               reachableroots: parent out of range
               compute_phases_map_sets: parent out of range

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages