Mercurial > hg
changeset 39940:5405cb1a7901 stable 4.7.2
manifest: fix out-of-bounds read of corrupted manifest entry
Spotted by ASAN.
author | Yuya Nishihara <yuya@tcha.org> |
---|---|
date | Wed, 05 Sep 2018 21:23:29 +0900 |
parents | e85462d48cb3 |
children | 636a0e390634 |
files | mercurial/cext/manifest.c |
diffstat | 1 files changed, 10 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/cext/manifest.c Wed Sep 05 21:32:45 2018 +0900 +++ b/mercurial/cext/manifest.c Wed Sep 05 21:23:29 2018 +0900 @@ -51,7 +51,12 @@ { char *s = l->start; ssize_t llen = pathlen(l); - PyObject *hash = unhexlify(s + llen + 1, 40); + PyObject *hash; + if (llen + 1 + 40 + 1 > l->len) { /* path '\0' hash '\n' */ + PyErr_SetString(PyExc_ValueError, "manifest line too short"); + return NULL; + } + hash = unhexlify(s + llen + 1, 40); if (!hash) { return NULL; } @@ -249,10 +254,13 @@ pl = pathlen(l); path = PyBytes_FromStringAndSize(l->start, pl); hash = nodeof(l); + if (!path || !hash) { + goto done; + } consumed = pl + 41; flags = PyBytes_FromStringAndSize(l->start + consumed, l->len - consumed - 1); - if (!path || !hash || !flags) { + if (!flags) { goto done; } ret = PyTuple_Pack(3, path, hash, flags);