Mercurial: mercurial/parsers.c comparison

comparison mercurial/parsers.c @ 25810:82d6a35cf432

parsers: fix buffer overflow by invalid parent revision read from revlog If revlog file is corrupted, it can have parent pointing to invalid revision. So we should validate it before updating nothead[], phases[], seen[], etc. Otherwise it would cause segfault at best. We could use "rev" instead of "maxrev" as upper bound, but I think the explicit "maxrev" can clarify that we just want to avoid possible buffer overflow vulnerability.

author	Yuya Nishihara <yuya@tcha.org>
date	Thu, 16 Jul 2015 23:36:08 +0900
parents	72b2711f12ea
children	895f04955a49

comparison

equal deleted inserted replaced

-:ebb5bb9bc32e
+:82d6a35cf432
 	}
 	return PyString_AS_STRING(self->data) + pos * v1_hdrsize;
 }
-static inline void index_get_parents(indexObject *self, Py_ssize_t rev,
+static inline int index_get_parents(indexObject *self, Py_ssize_t rev,
-				int *ps)
+				    int *ps, int maxrev)
 {
 	if (rev >= self->length - 1) {
 		PyObject *tuple = PyList_GET_ITEM(self->added,
 						  rev - self->length + 1);
 		ps[0] = (int)PyInt_AS_LONG(PyTuple_GET_ITEM(tuple, 5));
 	} else {
 		const char *data = index_deref(self, rev);
 		ps[0] = getbe32(data + 24);
 		ps[1] = getbe32(data + 28);
 	}
+	/* If index file is corrupted, ps[] may point to invalid revisions. So
+	 * there is a risk of buffer overflow to trust them unconditionally. */
+	if (ps[0] > maxrev || ps[1] > maxrev) {
+		PyErr_SetString(PyExc_ValueError, "parent out of range");
+		return -1;
+	}
+	return 0;
 }
 /*
 * RevlogNG format (all in big endian, data may be inlined):
 	}
 	/* Propagate the phase information from the roots to the revs */
 	if (minrevallphases != -1) {
 		int parents[2];
 		for (i = minrevallphases; i < len; i++) {
-			index_get_parents(self, i, parents);
+			if (index_get_parents(self, i, parents, len - 1) < 0)
+				goto release_phasesetlist;
 			set_phase_from_parents(phases, parents[0], parents[1], i);
 		}
 	}
 	/* Transform phase list to a python list */
 	phaseslist = PyList_New(len);
 		if (isfiltered) {
 			nothead[i] = 1;
 			continue;
 		}
-		index_get_parents(self, i, parents);
+		if (index_get_parents(self, i, parents, len - 1) < 0)
+			goto bail;
 		for (j = 0; j < 2; j++) {
 			if (parents[j] >= 0)
 				nothead[parents[j]] = 1;
 		}
 	}
 					if (revs[i] == v)
 						goto done;
 				}
 			}
 		}
-		index_get_parents(self, v, parents);
+		if (index_get_parents(self, v, parents, maxrev) < 0)
+			goto bail;
 		for (i = 0; i < 2; i++) {
 			int p = parents[i];
 			if (p == -1)
 				continue;
 		if (dv == 0)
 			continue;
 		sv = seen[v];
-		index_get_parents(self, v, parents);
+		if (index_get_parents(self, v, parents, maxrev) < 0)
+			goto bail;
 		for (i = 0; i < 2; i++) {
 			int p = parents[i];
 			long nsp, sp;
 			int dp;

Mercurial > hg

comparison mercurial/parsers.c @ 25810:82d6a35cf432