# HG changeset patch # User Matt Mackall # Date 1458174569 25200 # Node ID b6ed2505d6cf1d73f7f5c62e7369c4ce65cd3732 # Parent a2c2dd399f3b9fb84edd75a930e895f0c5e4ad5b parsers: fix list sizing rounding error (SEC) CVE-2016-3630 (1/2) This addresses part of a vulnerability in application of binary deltas. diff -r a2c2dd399f3b -r b6ed2505d6cf mercurial/mpatch.c --- a/mercurial/mpatch.c Fri Mar 25 10:47:49 2016 -0700 +++ b/mercurial/mpatch.c Wed Mar 16 17:29:29 2016 -0700 @@ -205,7 +205,7 @@ int pos = 0; /* assume worst case size, we won't have many of these lists */ - l = lalloc(len / 12); + l = lalloc(len / 12 + 1); if (!l) return NULL; diff -r a2c2dd399f3b -r b6ed2505d6cf tests/test-revlog.t --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tests/test-revlog.t Wed Mar 16 17:29:29 2016 -0700 @@ -0,0 +1,15 @@ +Test for CVE-2016-3630 + + $ hg init + + >>> open("a.i", "w").write( + ... """eJxjYGZgZIAAYQYGxhgom+k/FMx8YKx9ZUaKSOyqo4cnuKb8mbqHV5cBCVTMWb1Cwqkhe4Gsg9AD + ... Joa3dYtcYYYBAQ8Qr4OqZAYRICPTSr5WKd/42rV36d+8/VmrNpv7NP1jQAXrQE4BqQUARngwVA==""" + ... .decode("base64").decode("zlib")) + + $ hg debugindex a.i + rev offset length delta linkrev nodeid p1 p2 + 0 0 19 -1 2 99e0332bd498 000000000000 000000000000 + 1 19 12 0 3 6674f57a23d8 99e0332bd498 000000000000 + $ hg debugdata a.i 1 2>&1 | grep decoded + mpatch.mpatchError: patch cannot be decoded