Mercurial > hg
comparison mercurial/mpatch.c @ 38192:0b208c13781c stable
mpatch: fix UB in int overflows in gather() (SEC)
| author | Augie Fackler <augie@google.com> |
|---|---|
| date | Mon, 30 Apr 2018 22:15:11 -0400 |
| parents | b8b253aec953 |
| children | 7f22ef3c0ee7 |
comparison
equal
deleted
inserted
replaced
| 38191:b8b253aec953 | 38192:0b208c13781c |
|---|---|
| 107 { | 107 { |
| 108 struct mpatch_frag *d = dest->tail, *s = src->head; | 108 struct mpatch_frag *d = dest->tail, *s = src->head; |
| 109 int postend, c, l; | 109 int postend, c, l; |
| 110 | 110 |
| 111 while (s != src->tail) { | 111 while (s != src->tail) { |
| 112 if (s->start + offset >= cut) | 112 int soffset = s->start; |
| 113 if (!safeadd(offset, &soffset)) | |
| 114 break; /* add would overflow, oh well */ | |
| 115 if (soffset >= cut) | |
| 113 break; /* we've gone far enough */ | 116 break; /* we've gone far enough */ |
| 114 | 117 |
| 115 postend = offset + s->start + s->len; | 118 postend = offset; |
| 119 if (!safeadd(s->start, &postend) || | |
| 120 !safeadd(s->len, &postend)) { | |
| 121 break; | |
| 122 } | |
| 116 if (postend <= cut) { | 123 if (postend <= cut) { |
| 117 /* save this hunk */ | 124 /* save this hunk */ |
| 118 offset += s->start + s->len - s->end; | 125 int tmp = s->start; |
| 126 if (!safesub(s->end, &tmp)) { | |
| 127 break; | |
| 128 } | |
| 129 if (!safeadd(s->len, &tmp)) { | |
| 130 break; | |
| 131 } | |
| 132 if (!safeadd(tmp, &offset)) { | |
| 133 break; /* add would overflow, oh well */ | |
| 134 } | |
| 119 *d++ = *s++; | 135 *d++ = *s++; |
| 120 } else { | 136 } else { |
| 121 /* break up this hunk */ | 137 /* break up this hunk */ |
| 122 c = cut - offset; | 138 c = cut; |
| 139 if (!safesub(offset, &c)) { | |
| 140 break; | |
| 141 } | |
| 123 if (s->end < c) | 142 if (s->end < c) |
| 124 c = s->end; | 143 c = s->end; |
| 125 l = cut - offset - s->start; | 144 l = cut - offset - s->start; |
| 126 if (s->len < l) | 145 if (s->len < l) |
| 127 l = s->len; | 146 l = s->len; |