Mercurial > hg

comparison tests/test-parseindex.t @ 40812:9cdd525d97b2 stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
revlog: fix out-of-bounds access by negative parents read from revlog (SEC) 82d6a35cf432 wasn't enough. Several callers don't check negative revisions but for -1 (nullrev), which would directly lead to out-of-bounds read, and buffer overflow could follow. RCE might be doable with carefully crafted revlog structure, though I don't think this would be useful attack surface.
author Yuya Nishihara <yuya@tcha.org>
date Thu, 01 Nov 2018 20:32:59 +0900
parents ef6cab7930b3
children 75728718257e
comparison
equal deleted inserted replaced
40803:44c2e80db985 40812:9cdd525d97b2
131 131
132 $ mkdir invalidparent 132 $ mkdir invalidparent
133 $ cd invalidparent 133 $ cd invalidparent
134 134
135 $ hg clone --pull -q --config phases.publish=False ../a limit 135 $ hg clone --pull -q --config phases.publish=False ../a limit
136 $ hg clone --pull -q --config phases.publish=False ../a neglimit
136 $ hg clone --pull -q --config phases.publish=False ../a segv 137 $ hg clone --pull -q --config phases.publish=False ../a segv
137 $ rm -R limit/.hg/cache segv/.hg/cache 138 $ rm -R limit/.hg/cache neglimit/.hg/cache segv/.hg/cache
138 139
139 $ "$PYTHON" <<EOF 140 $ "$PYTHON" <<EOF
140 > data = open("limit/.hg/store/00changelog.i", "rb").read() 141 > data = open("limit/.hg/store/00changelog.i", "rb").read()
141 > for n, p in [(b'limit', b'\0\0\0\x02'), (b'segv', b'\0\x01\0\0')]: 142 > poisons = [
143 > (b'limit', b'\0\0\0\x02'),
144 > (b'neglimit', b'\xff\xff\xff\xfe'),
145 > (b'segv', b'\0\x01\0\0'),
146 > ]
147 > for n, p in poisons:
142 > # corrupt p1 at rev0 and p2 at rev1 148 > # corrupt p1 at rev0 and p2 at rev1
143 > d = data[:24] + p + data[28:127 + 28] + p + data[127 + 32:] 149 > d = data[:24] + p + data[28:127 + 28] + p + data[127 + 32:]
144 > open(n + b"/.hg/store/00changelog.i", "wb").write(d) 150 > open(n + b"/.hg/store/00changelog.i", "wb").write(d)
145 > EOF 151 > EOF
146 152
151 157
152 $ hg -R limit debugdeltachain -c 158 $ hg -R limit debugdeltachain -c
153 rev chain# chainlen prev delta size rawsize chainsize ratio lindist extradist extraratio 159 rev chain# chainlen prev delta size rawsize chainsize ratio lindist extradist extraratio
154 0 1 1 -1 base 63 62 63 1.01613 63 0 0.00000 160 0 1 1 -1 base 63 62 63 1.01613 63 0 0.00000
155 1 2 1 -1 base 66 65 66 1.01538 66 0 0.00000 161 1 2 1 -1 base 66 65 66 1.01538 66 0 0.00000
162
163 $ hg -R neglimit debugrevlogindex -f1 -c
164 rev flag size link p1 p2 nodeid
165 0 0000 62 0 -2 -1 7c31755bf9b5
166 1 0000 65 1 0 -2 26333235a41c
156 167
157 $ hg -R segv debugrevlogindex -f1 -c 168 $ hg -R segv debugrevlogindex -f1 -c
158 rev flag size link p1 p2 nodeid 169 rev flag size link p1 p2 nodeid
159 0 0000 62 0 65536 -1 7c31755bf9b5 170 0 0000 62 0 65536 -1 7c31755bf9b5
160 1 0000 65 1 0 65536 26333235a41c 171 1 0000 65 1 0 65536 26333235a41c
191 reachableroots: parent out of range 202 reachableroots: parent out of range
192 compute_phases_map_sets: parent out of range 203 compute_phases_map_sets: parent out of range
193 index_headrevs: parent out of range 204 index_headrevs: parent out of range
194 find_gca_candidates: parent out of range 205 find_gca_candidates: parent out of range
195 find_deepest: parent out of range 206 find_deepest: parent out of range
207 $ "$PYTHON" test.py neglimit/.hg/store
208 reachableroots: parent out of range
209 compute_phases_map_sets: parent out of range
210 index_headrevs: parent out of range
211 find_gca_candidates: parent out of range
212 find_deepest: parent out of range
196 $ "$PYTHON" test.py segv/.hg/store 213 $ "$PYTHON" test.py segv/.hg/store
197 reachableroots: parent out of range 214 reachableroots: parent out of range
198 compute_phases_map_sets: parent out of range 215 compute_phases_map_sets: parent out of range
199 index_headrevs: parent out of range 216 index_headrevs: parent out of range
200 find_gca_candidates: parent out of range 217 find_gca_candidates: parent out of range