Mercurial: mercurial/cext/revlog.c comparison

comparison mercurial/cext/revlog.c @ 40812:9cdd525d97b2 stable

revlog: fix out-of-bounds access by negative parents read from revlog (SEC) 82d6a35cf432 wasn't enough. Several callers don't check negative revisions but for -1 (nullrev), which would directly lead to out-of-bounds read, and buffer overflow could follow. RCE might be doable with carefully crafted revlog structure, though I don't think this would be useful attack surface.

author	Yuya Nishihara <yuya@tcha.org>
date	Thu, 01 Nov 2018 20:32:59 +0900
parents	a91a2837150b
children	884321cd26c3

comparison

equal deleted inserted replaced

-:44c2e80db985
+:9cdd525d97b2
 	}
 	return (const char *)(self->buf.buf) + pos * v1_hdrsize;
 }
+/*
+* Get parents of the given rev.
+*
+* The specified rev must be valid and must not be nullrev. A returned
+* parent revision may be nullrev, but is guaranteed to be in valid range.
+*/
 static inline int index_get_parents(indexObject *self, Py_ssize_t rev,
 				    int *ps, int maxrev)
 {
 	if (rev >= self->length) {
 		PyObject *tuple = PyList_GET_ITEM(self->added, rev - self->length);
 		ps[0] = getbe32(data + 24);
 		ps[1] = getbe32(data + 28);
 	}
 	/* If index file is corrupted, ps[] may point to invalid revisions. So
 	 * there is a risk of buffer overflow to trust them unconditionally. */
-	if (ps[0] > maxrev || ps[1] > maxrev) {
+	if (ps[0] < -1 || ps[0] > maxrev || ps[1] < -1 || ps[1] > maxrev) {
 		PyErr_SetString(PyExc_ValueError, "parent out of range");
 		return -1;
 	}
 	return 0;
 }

Mercurial > hg

comparison mercurial/cext/revlog.c @ 40812:9cdd525d97b2 stable