Mercurial > hg
changeset 38187:90a274965de7 stable
mpatch: be more careful about parsing binary patch data (SEC)
It appears to have been possible to trivially walk off the end of an
allocated region with a malformed patch. Oops.
Caught when writing an mpatch fuzzer for oss-fuzz.
This defect is OVE-20180430-0001. A CVE has not been obtained as of
this writing.
author | Augie Fackler <augie@google.com> |
---|---|
date | Sat, 28 Apr 2018 00:42:16 -0400 |
parents | c0081d3e1598 |
children | 1acfc35d478c |
files | mercurial/mpatch.c |
diffstat | 1 files changed, 3 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/mpatch.c Wed Jun 06 09:14:33 2018 -0700 +++ b/mercurial/mpatch.c Sat Apr 28 00:42:16 2018 -0400 @@ -197,7 +197,9 @@ lt = l->tail; - while (pos >= 0 && pos < len) { + /* We check against len-11 to ensure we have at least 12 bytes + left in the patch so we can read our three be32s out of it. */ + while (pos >= 0 && pos < (len - 11)) { lt->start = getbe32(bin + pos); lt->end = getbe32(bin + pos + 4); lt->len = getbe32(bin + pos + 8);