Mercurial > hg
comparison mercurial/mpatch.c @ 38187:90a274965de7 stable
mpatch: be more careful about parsing binary patch data (SEC)
It appears to have been possible to trivially walk off the end of an
allocated region with a malformed patch. Oops.
Caught when writing an mpatch fuzzer for oss-fuzz.
This defect is OVE-20180430-0001. A CVE has not been obtained as of
this writing.
| author | Augie Fackler <augie@google.com> |
|---|---|
| date | Sat, 28 Apr 2018 00:42:16 -0400 |
| parents | 1f4249c764f1 |
| children | 1acfc35d478c |
comparison
equal
deleted
inserted
replaced
| 38186:c0081d3e1598 | 38187:90a274965de7 |
|---|---|
| 195 if (!l) | 195 if (!l) |
| 196 return MPATCH_ERR_NO_MEM; | 196 return MPATCH_ERR_NO_MEM; |
| 197 | 197 |
| 198 lt = l->tail; | 198 lt = l->tail; |
| 199 | 199 |
| 200 while (pos >= 0 && pos < len) { | 200 /* We check against len-11 to ensure we have at least 12 bytes |
| 201 left in the patch so we can read our three be32s out of it. */ | |
| 202 while (pos >= 0 && pos < (len - 11)) { | |
| 201 lt->start = getbe32(bin + pos); | 203 lt->start = getbe32(bin + pos); |
| 202 lt->end = getbe32(bin + pos + 4); | 204 lt->end = getbe32(bin + pos + 4); |
| 203 lt->len = getbe32(bin + pos + 8); | 205 lt->len = getbe32(bin + pos + 8); |
| 204 lt->data = bin + pos + 12; | 206 lt->data = bin + pos + 12; |
| 205 pos += 12 + lt->len; | 207 pos += 12 + lt->len; |