Mercurial > hg
changeset 7176:14848fc8e26c
merge with crew
| author | Benoit Boissinot <benoit.boissinot@ens-lyon.org> |
|---|---|
| date | Sun, 19 Oct 2008 20:29:41 +0200 |
| parents | 5d8626b2c1db (diff) 37dd322adc81 (current diff) |
| children | 09ed32b79656 |
| files | mercurial/parsers.c |
| diffstat | 1 files changed, 13 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/parsers.c Sun Oct 19 19:10:26 2008 +0200 +++ b/mercurial/parsers.c Sun Oct 19 20:29:41 2008 +0200 @@ -164,7 +164,8 @@ PyObject *dmap, *cmap, *parents = NULL, *ret = NULL; PyObject *fname = NULL, *cname = NULL, *entry = NULL; char *str, *cur, *end, *cpos; - int state, mode, size, mtime, flen; + int state, mode, size, mtime; + unsigned int flen; int len; char decode[16]; /* for alignment */ @@ -195,13 +196,15 @@ mtime = ntohl(*(uint32_t *)(decode + 8)); flen = ntohl(*(uint32_t *)(decode + 12)); cur += 17; - if (cur + flen > end) + if (flen > end - cur) { + PyErr_SetString(PyExc_ValueError, "overflow in dirstate"); goto quit; + } entry = Py_BuildValue("ciii", state, mode, size, mtime); - PyObject_GC_UnTrack(entry); /* don't waste time with this */ if (!entry) goto quit; + PyObject_GC_UnTrack(entry); /* don't waste time with this */ cpos = memchr(cur, 0, flen); if (cpos) { @@ -295,6 +298,8 @@ char decode[64]; /* to enforce alignment with inline data */ while (data < end) { + unsigned int step; + memcpy(decode, data, 64); offset_flags = ntohl(*((uint32_t *) (decode + 4))); if (n == 0) /* mask out version number for the first entry */ @@ -327,10 +332,13 @@ } else PyList_SET_ITEM(index, n, entry); /* steals reference */ - data += 64 + (inlined ? comp_len : 0); n++; + step = 64 + (inlined ? comp_len : 0); + if (end - data < step) + break; + data += step; } - if (data > end) { + if (data != end) { if (!PyErr_Occurred()) PyErr_SetString(PyExc_ValueError, "corrupt index file"); return 0;