parsers: fix list sizing rounding error (SEC) stable
authorMatt Mackall <mpm@selenic.com>
Wed, 16 Mar 2016 17:29:29 -0700
branchstable
changeset 28656 b6ed2505d6cf
parent 28632 a2c2dd399f3b
child 28657 b9714d958e89
parsers: fix list sizing rounding error (SEC) CVE-2016-3630 (1/2) This addresses part of a vulnerability in application of binary deltas.
mercurial/mpatch.c
tests/test-revlog.t
--- a/mercurial/mpatch.c	Fri Mar 25 10:47:49 2016 -0700
+++ b/mercurial/mpatch.c	Wed Mar 16 17:29:29 2016 -0700
@@ -205,7 +205,7 @@
 	int pos = 0;
 
 	/* assume worst case size, we won't have many of these lists */
-	l = lalloc(len / 12);
+	l = lalloc(len / 12 + 1);
 	if (!l)
 		return NULL;
 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/test-revlog.t	Wed Mar 16 17:29:29 2016 -0700
@@ -0,0 +1,15 @@
+Test for CVE-2016-3630
+
+  $ hg init
+
+  >>> open("a.i", "w").write(
+  ... """eJxjYGZgZIAAYQYGxhgom+k/FMx8YKx9ZUaKSOyqo4cnuKb8mbqHV5cBCVTMWb1Cwqkhe4Gsg9AD
+  ... Joa3dYtcYYYBAQ8Qr4OqZAYRICPTSr5WKd/42rV36d+8/VmrNpv7NP1jQAXrQE4BqQUARngwVA=="""
+  ... .decode("base64").decode("zlib"))
+
+  $ hg debugindex a.i
+     rev    offset  length  delta linkrev nodeid       p1           p2
+       0         0      19     -1       2 99e0332bd498 000000000000 000000000000
+       1        19      12      0       3 6674f57a23d8 99e0332bd498 000000000000
+  $ hg debugdata a.i 1 2>&1 | grep decoded
+  mpatch.mpatchError: patch cannot be decoded