# HG changeset patch
# User Jun Wu <quark@fb.com>
# Date 1533619440 25200
# Node ID 27a54096c92e22143d7103a4b61443c0a7621aef
# Parent  35180ade80c1cd90202b0b2103e234f83d175603
linelog: fix infinite loop vulnerability

Checking `len(lines)` is not a great way of detecting infinite loops, as
demonstrated in the added test. Therefore check instruction count instead.

The original C implementation does not have this problem. There are a few
other places where the C implementation enforces more strictly, like
`a1 <= a2`, `b1 <= b2`, `rev > 0`. But they are optional.

Test Plan:
Add a test. The old code forces the test to time out.

Differential Revision: https://phab.mercurial-scm.org/D4151

diff -r 35180ade80c1 -r 27a54096c92e mercurial/linelog.py
--- a/mercurial/linelog.py	Mon Aug 06 17:19:33 2018 -0400
+++ b/mercurial/linelog.py	Mon Aug 06 22:24:00 2018 -0700
@@ -360,13 +360,15 @@
     def annotate(self, rev):
         pc = 1
         lines = []
-        # Sanity check: if len(lines) is longer than len(program), we
+        executed = 0
+        # Sanity check: if instructions executed exceeds len(program), we
         # hit an infinite loop in the linelog program somehow and we
         # should stop.
-        while pc is not None and len(lines) < len(self._program):
+        while pc is not None and executed < len(self._program):
             inst = self._program[pc]
             lastpc = pc
             pc = inst.execute(rev, pc, lines.append)
+            executed += 1
         if pc is not None:
             raise LineLogError(
                 'Probably hit an infinite loop in linelog. Program:\n' +
diff -r 35180ade80c1 -r 27a54096c92e tests/test-linelog.py
--- a/tests/test-linelog.py	Mon Aug 06 17:19:33 2018 -0400
+++ b/tests/test-linelog.py	Mon Aug 06 22:24:00 2018 -0700
@@ -179,6 +179,15 @@
             ar = ll.annotate(rev)
             self.assertEqual([(l.rev, l.linenum) for l in ar], lines)
 
+    def testinfinitebadprogram(self):
+        ll = linelog.linelog.fromdata(
+            b'\x00\x00\x00\x00\x00\x00\x00\x02'  # header
+            b'\x00\x00\x00\x00\x00\x00\x00\x01'  # JUMP to self
+        )
+        with self.assertRaises(linelog.LineLogError):
+            # should not be an infinite loop and raise
+            ll.annotate(1)
+
 if __name__ == '__main__':
     import silenttestrunner
     silenttestrunner.main(__name__)