diff -ruN mercurial-2.6.2/mercurial/mpatch.c mercurial-2.6.2_patched/mercurial/mpatch.c
--- mercurial-2.6.2/mercurial/mpatch.c	2019-10-10 12:04:17.473702325 +0100
+++ mercurial-2.6.2_patched/mercurial/mpatch.c	2019-10-10 12:03:55.538520431 +0100
@@ -285,6 +285,7 @@
 	struct flist *l;
 	struct frag *lt;
 	const char *data = bin + 12, *end = bin + len;
+    int pos = 0;
 
 	/* assume worst case size, we won't have many of these lists */
 	l = lalloc(len / 12);
@@ -293,25 +294,23 @@
 
 	lt = l->tail;
 
-	while (data <= end) {
-		lt->start = getbe32(bin);
-		lt->end = getbe32(bin + 4);
-		lt->len = getbe32(bin + 8);
+	while (pos >= 0 && pos < (len - 11)) {
+		lt->start = getbe32(bin + pos);
+		lt->end = getbe32(bin + pos + 4);
+		lt->len = getbe32(bin + pos + 8);
 		if (lt->start < 0 || lt->start > lt->end || lt->len < 0)
  			break; /* sanity check */
-		bin = data;
-		if (!safeadd(lt->len, &bin)) {
+		if (!safeadd(12, &pos)) {
 			break; /* big data + big (bogus) len can wrap around */
 		}
-		lt->data = data;
-		data = bin;
-		if (!safeadd(12, &data)) {
+		lt->data = bin + pos;
+		if (!safeadd(lt->len, &pos)) {
 			break;
 		}
 		lt++;
 	}
 
-	if (bin != end) {
+	if (pos != len) {
 		if (!PyErr_Occurred())
 			PyErr_SetString(mpatch_Error, "patch cannot be decoded");
 		lfree(l);