Mercurial > hg
comparison mercurial/mpatch.c @ 38195:9c5ced5276d6 stable 4.6.1
mpatch: avoid integer overflow in combine() (SEC)
All the callers of this function can handle a NULL return, so that
appears to be the "safe" way to report an error.
author | Augie Fackler <augie@google.com> |
---|---|
date | Mon, 30 Apr 2018 22:24:58 -0400 |
parents | 59837a16896d |
children | 763b45bc4483 |
comparison
equal
deleted
inserted
replaced
38194:59837a16896d | 38195:9c5ced5276d6 |
---|---|
245 /* discard replaced hunks */ | 245 /* discard replaced hunks */ |
246 post = discard(a, bh->end, offset); | 246 post = discard(a, bh->end, offset); |
247 | 247 |
248 /* insert new hunk */ | 248 /* insert new hunk */ |
249 ct = c->tail; | 249 ct = c->tail; |
250 ct->start = bh->start - offset; | 250 ct->start = bh->start; |
251 ct->end = bh->end - post; | 251 ct->end = bh->end; |
252 if (!safesub(offset, &(ct->start)) || | |
253 !safesub(post, &(ct->end))) { | |
254 /* It was already possible to exit | |
255 * this function with a return value | |
256 * of NULL before the safesub()s were | |
257 * added, so this should be fine. */ | |
258 mpatch_lfree(c); | |
259 c = NULL; | |
260 goto done; | |
261 } | |
252 ct->len = bh->len; | 262 ct->len = bh->len; |
253 ct->data = bh->data; | 263 ct->data = bh->data; |
254 c->tail++; | 264 c->tail++; |
255 offset = post; | 265 offset = post; |
256 } | 266 } |
257 | 267 |
258 /* hold on to tail from a */ | 268 /* hold on to tail from a */ |
259 memcpy(c->tail, a->head, sizeof(struct mpatch_frag) * lsize(a)); | 269 memcpy(c->tail, a->head, sizeof(struct mpatch_frag) * lsize(a)); |
260 c->tail += lsize(a); | 270 c->tail += lsize(a); |
261 } | 271 } |
262 | 272 done: |
263 mpatch_lfree(a); | 273 mpatch_lfree(a); |
264 mpatch_lfree(b); | 274 mpatch_lfree(b); |
265 return c; | 275 return c; |
266 } | 276 } |
267 | 277 |