comparison mercurial/linelog.py @ 38935:27a54096c92e

linelog: fix infinite loop vulnerability Checking `len(lines)` is not a great way of detecting infinite loops, as demonstrated in the added test. Therefore check instruction count instead. The original C implementation does not have this problem. There are a few other places where the C implementation enforces more strictly, like `a1 <= a2`, `b1 <= b2`, `rev > 0`. But they are optional. Test Plan: Add a test. The old code forces the test to time out. Differential Revision: https://phab.mercurial-scm.org/D4151
author Jun Wu <quark@fb.com>
date Mon, 06 Aug 2018 22:24:00 -0700
parents 6fed8b323651
children 70a19e804deb
comparison
equal deleted inserted replaced
38934:35180ade80c1 38935:27a54096c92e
358 self._maxrev = rev 358 self._maxrev = rev
359 359
360 def annotate(self, rev): 360 def annotate(self, rev):
361 pc = 1 361 pc = 1
362 lines = [] 362 lines = []
363 # Sanity check: if len(lines) is longer than len(program), we 363 executed = 0
364 # Sanity check: if instructions executed exceeds len(program), we
364 # hit an infinite loop in the linelog program somehow and we 365 # hit an infinite loop in the linelog program somehow and we
365 # should stop. 366 # should stop.
366 while pc is not None and len(lines) < len(self._program): 367 while pc is not None and executed < len(self._program):
367 inst = self._program[pc] 368 inst = self._program[pc]
368 lastpc = pc 369 lastpc = pc
369 pc = inst.execute(rev, pc, lines.append) 370 pc = inst.execute(rev, pc, lines.append)
371 executed += 1
370 if pc is not None: 372 if pc is not None:
371 raise LineLogError( 373 raise LineLogError(
372 'Probably hit an infinite loop in linelog. Program:\n' + 374 'Probably hit an infinite loop in linelog. Program:\n' +
373 self.debugstr()) 375 self.debugstr())
374 ar = annotateresult(rev, lines, lastpc) 376 ar = annotateresult(rev, lines, lastpc)