Blame SOURCES/mercurial-fix-cve-2018-13346-cve-2018-13347-regression.patch
|
|
ac72e6 |
diff -ruN mercurial-2.6.2/mercurial/mpatch.c mercurial-2.6.2_patched/mercurial/mpatch.c
|
|
|
ac72e6 |
--- mercurial-2.6.2/mercurial/mpatch.c 2019-10-10 12:04:17.473702325 +0100
|
|
|
ac72e6 |
+++ mercurial-2.6.2_patched/mercurial/mpatch.c 2019-10-10 12:03:55.538520431 +0100
|
|
|
ac72e6 |
@@ -285,6 +285,7 @@
|
|
|
ac72e6 |
struct flist *l;
|
|
|
ac72e6 |
struct frag *lt;
|
|
|
ac72e6 |
const char *data = bin + 12, *end = bin + len;
|
|
|
ac72e6 |
+ int pos = 0;
|
|
|
ac72e6 |
|
|
|
ac72e6 |
/* assume worst case size, we won't have many of these lists */
|
|
|
ac72e6 |
l = lalloc(len / 12);
|
|
|
ac72e6 |
@@ -293,25 +294,23 @@
|
|
|
ac72e6 |
|
|
|
ac72e6 |
lt = l->tail;
|
|
|
ac72e6 |
|
|
|
ac72e6 |
- while (data <= end) {
|
|
|
ac72e6 |
- lt->start = getbe32(bin);
|
|
|
ac72e6 |
- lt->end = getbe32(bin + 4);
|
|
|
ac72e6 |
- lt->len = getbe32(bin + 8);
|
|
|
ac72e6 |
+ while (pos >= 0 && pos < (len - 11)) {
|
|
|
ac72e6 |
+ lt->start = getbe32(bin + pos);
|
|
|
ac72e6 |
+ lt->end = getbe32(bin + pos + 4);
|
|
|
ac72e6 |
+ lt->len = getbe32(bin + pos + 8);
|
|
|
ac72e6 |
if (lt->start < 0 || lt->start > lt->end || lt->len < 0)
|
|
|
ac72e6 |
break; /* sanity check */
|
|
|
ac72e6 |
- bin = data;
|
|
|
ac72e6 |
- if (!safeadd(lt->len, &bin)) {
|
|
|
ac72e6 |
+ if (!safeadd(12, &pos)) {
|
|
|
ac72e6 |
break; /* big data + big (bogus) len can wrap around */
|
|
|
ac72e6 |
}
|
|
|
ac72e6 |
- lt->data = data;
|
|
|
ac72e6 |
- data = bin;
|
|
|
ac72e6 |
- if (!safeadd(12, &data)) {
|
|
|
ac72e6 |
+ lt->data = bin + pos;
|
|
|
ac72e6 |
+ if (!safeadd(lt->len, &pos)) {
|
|
|
ac72e6 |
break;
|
|
|
ac72e6 |
}
|
|
|
ac72e6 |
lt++;
|
|
|
ac72e6 |
}
|
|
|
ac72e6 |
|
|
|
ac72e6 |
- if (bin != end) {
|
|
|
ac72e6 |
+ if (pos != len) {
|
|
|
ac72e6 |
if (!PyErr_Occurred())
|
|
|
ac72e6 |
PyErr_SetString(mpatch_Error, "patch cannot be decoded");
|
|
|
ac72e6 |
lfree(l);
|