Mercurial > hg
comparison mercurial/linelog.py @ 38935:27a54096c92e
linelog: fix infinite loop vulnerability
Checking `len(lines)` is not a great way of detecting infinite loops, as
demonstrated in the added test. Therefore check instruction count instead.
The original C implementation does not have this problem. There are a few
other places where the C implementation enforces more strictly, like
`a1 <= a2`, `b1 <= b2`, `rev > 0`. But they are optional.
Test Plan:
Add a test. The old code forces the test to time out.
Differential Revision: https://phab.mercurial-scm.org/D4151
author | Jun Wu <quark@fb.com> |
---|---|
date | Mon, 06 Aug 2018 22:24:00 -0700 |
parents | 6fed8b323651 |
children | 70a19e804deb |
comparison
equal
deleted
inserted
replaced
38934:35180ade80c1 | 38935:27a54096c92e |
---|---|
358 self._maxrev = rev | 358 self._maxrev = rev |
359 | 359 |
360 def annotate(self, rev): | 360 def annotate(self, rev): |
361 pc = 1 | 361 pc = 1 |
362 lines = [] | 362 lines = [] |
363 # Sanity check: if len(lines) is longer than len(program), we | 363 executed = 0 |
364 # Sanity check: if instructions executed exceeds len(program), we | |
364 # hit an infinite loop in the linelog program somehow and we | 365 # hit an infinite loop in the linelog program somehow and we |
365 # should stop. | 366 # should stop. |
366 while pc is not None and len(lines) < len(self._program): | 367 while pc is not None and executed < len(self._program): |
367 inst = self._program[pc] | 368 inst = self._program[pc] |
368 lastpc = pc | 369 lastpc = pc |
369 pc = inst.execute(rev, pc, lines.append) | 370 pc = inst.execute(rev, pc, lines.append) |
371 executed += 1 | |
370 if pc is not None: | 372 if pc is not None: |
371 raise LineLogError( | 373 raise LineLogError( |
372 'Probably hit an infinite loop in linelog. Program:\n' + | 374 'Probably hit an infinite loop in linelog. Program:\n' + |
373 self.debugstr()) | 375 self.debugstr()) |
374 ar = annotateresult(rev, lines, lastpc) | 376 ar = annotateresult(rev, lines, lastpc) |