Mercurial: changeset 38194:59837a16896d

author	Augie Fackler <augie@google.com>
	Mon, 30 Apr 2018 22:23:06 -0400
branch	stable
changeset 38194	59837a16896d
parent 38193	7f22ef3c0ee7
child 38195	9c5ced5276d6

mpatch: avoid integer overflow in mpatch_decode (SEC)

--- a/mercurial/mpatch.c	Mon Apr 30 22:20:13 2018 -0400
+++ b/mercurial/mpatch.c	Mon Apr 30 22:23:06 2018 -0400
@@ -285,10 +285,15 @@
 		lt->start = getbe32(bin + pos);
 		lt->end = getbe32(bin + pos + 4);
 		lt->len = getbe32(bin + pos + 8);
-		lt->data = bin + pos + 12;
-		pos += 12 + lt->len;
-		if (lt->start > lt->end || lt->len < 0)
+		if (lt->start < 0 || lt->start > lt->end || lt->len < 0)
 			break; /* sanity check */
+		if (!safeadd(12, &pos)) {
+			break;
+		}
+		lt->data = bin + pos;
+		if (!safeadd(lt->len, &pos)) {
+			break;
+		}
 		lt++;
 	}