diff -ruN mercurial-2.6.2/mercurial/mpatch.c mercurial-2.6.2_patched/mercurial/mpatch.c

--- mercurial-2.6.2/mercurial/mpatch.c	2019-10-10 12:04:17.473702325 +0100

+++ mercurial-2.6.2_patched/mercurial/mpatch.c	2019-10-10 12:03:55.538520431 +0100

@@ -285,6 +285,7 @@

 	struct flist *l;

 	struct frag *lt;

 	const char *data = bin + 12, *end = bin + len;

+    int pos = 0;

 	/* assume worst case size, we won't have many of these lists */

 	l = lalloc(len / 12);

@@ -293,25 +294,23 @@

 	lt = l->tail;

-	while (data <= end) {

-		lt->start = getbe32(bin);

-		lt->end = getbe32(bin + 4);

-		lt->len = getbe32(bin + 8);

+	while (pos >= 0 && pos < (len - 11)) {

+		lt->start = getbe32(bin + pos);

+		lt->end = getbe32(bin + pos + 4);

+		lt->len = getbe32(bin + pos + 8);

 		if (lt->start < 0 || lt->start > lt->end || lt->len < 0)

  			break; /* sanity check */

-		bin = data;

-		if (!safeadd(lt->len, &bin)) {

+		if (!safeadd(12, &pos)) {

 			break; /* big data + big (bogus) len can wrap around */

 		}

-		lt->data = data;

-		data = bin;

-		if (!safeadd(12, &data)) {

+		lt->data = bin + pos;

+		if (!safeadd(lt->len, &pos)) {

 			break;

 		}

 		lt++;

 	}

-	if (bin != end) {

+	if (pos != len) {

 		if (!PyErr_Occurred())

 			PyErr_SetString(mpatch_Error, "patch cannot be decoded");

 		lfree(l);