Mercurial Mercurial > mercurial / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mpatch: avoid integer overflow in combine() (SEC) stable 4.6.1
authorAugie Fackler <augie@google.com>
Mon, 30 Apr 2018 22:24:58 -0400
branchstable
changeset 38195 9c5ced5276d6
parent 38194 59837a16896d
child 38196 fc0e23c76587
mpatch: avoid integer overflow in combine() (SEC) All the callers of this function can handle a NULL return, so that appears to be the "safe" way to report an error.
mercurial/mpatch.c file | annotate | diff | comparison | revisions 
--- a/mercurial/mpatch.c	Mon Apr 30 22:23:06 2018 -0400
+++ b/mercurial/mpatch.c	Mon Apr 30 22:24:58 2018 -0400
@@ -247,8 +247,18 @@
 
 			/* insert new hunk */
 			ct = c->tail;
-			ct->start = bh->start - offset;
-			ct->end = bh->end - post;
+			ct->start = bh->start;
+			ct->end = bh->end;
+			if (!safesub(offset, &(ct->start)) ||
+			    !safesub(post, &(ct->end))) {
+				/* It was already possible to exit
+				 * this function with a return value
+				 * of NULL before the safesub()s were
+				 * added, so this should be fine. */
+				mpatch_lfree(c);
+				c = NULL;
+				goto done;
+			}
 			ct->len = bh->len;
 			ct->data = bh->data;
 			c->tail++;
@@ -259,7 +269,7 @@
 		memcpy(c->tail, a->head, sizeof(struct mpatch_frag) * lsize(a));
 		c->tail += lsize(a);
 	}
-
+done:
 	mpatch_lfree(a);
 	mpatch_lfree(b);
 	return c;
mercurial