Mercurial > hg
comparison mercurial/mpatch.c @ 38195:9c5ced5276d6 stable 4.6.1
mpatch: avoid integer overflow in combine() (SEC)
All the callers of this function can handle a NULL return, so that
appears to be the "safe" way to report an error.
| author | Augie Fackler <augie@google.com> |
|---|---|
| date | Mon, 30 Apr 2018 22:24:58 -0400 |
| parents | 59837a16896d |
| children | 763b45bc4483 |
comparison
equal
deleted
inserted
replaced
| 38194:59837a16896d | 38195:9c5ced5276d6 |
|---|---|
| 245 /* discard replaced hunks */ | 245 /* discard replaced hunks */ |
| 246 post = discard(a, bh->end, offset); | 246 post = discard(a, bh->end, offset); |
| 247 | 247 |
| 248 /* insert new hunk */ | 248 /* insert new hunk */ |
| 249 ct = c->tail; | 249 ct = c->tail; |
| 250 ct->start = bh->start - offset; | 250 ct->start = bh->start; |
| 251 ct->end = bh->end - post; | 251 ct->end = bh->end; |
| 252 if (!safesub(offset, &(ct->start)) || | |
| 253 !safesub(post, &(ct->end))) { | |
| 254 /* It was already possible to exit | |
| 255 * this function with a return value | |
| 256 * of NULL before the safesub()s were | |
| 257 * added, so this should be fine. */ | |
| 258 mpatch_lfree(c); | |
| 259 c = NULL; | |
| 260 goto done; | |
| 261 } | |
| 252 ct->len = bh->len; | 262 ct->len = bh->len; |
| 253 ct->data = bh->data; | 263 ct->data = bh->data; |
| 254 c->tail++; | 264 c->tail++; |
| 255 offset = post; | 265 offset = post; |
| 256 } | 266 } |
| 257 | 267 |
| 258 /* hold on to tail from a */ | 268 /* hold on to tail from a */ |
| 259 memcpy(c->tail, a->head, sizeof(struct mpatch_frag) * lsize(a)); | 269 memcpy(c->tail, a->head, sizeof(struct mpatch_frag) * lsize(a)); |
| 260 c->tail += lsize(a); | 270 c->tail += lsize(a); |
| 261 } | 271 } |
| 262 | 272 done: |
| 263 mpatch_lfree(a); | 273 mpatch_lfree(a); |
| 264 mpatch_lfree(b); | 274 mpatch_lfree(b); |
| 265 return c; | 275 return c; |
| 266 } | 276 } |
| 267 | 277 |