changeset 38187:90a274965de7 stable

mpatch: be more careful about parsing binary patch data (SEC) It appears to have been possible to trivially walk off the end of an allocated region with a malformed patch. Oops. Caught when writing an mpatch fuzzer for oss-fuzz. This defect is OVE-20180430-0001. A CVE has not been obtained as of this writing.
author Augie Fackler <augie@google.com>
date Sat, 28 Apr 2018 00:42:16 -0400
parents c0081d3e1598
children 1acfc35d478c
files mercurial/mpatch.c
diffstat 1 files changed, 3 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial/mpatch.c	Wed Jun 06 09:14:33 2018 -0700
+++ b/mercurial/mpatch.c	Sat Apr 28 00:42:16 2018 -0400
@@ -197,7 +197,9 @@
 
 	lt = l->tail;
 
-	while (pos >= 0 && pos < len) {
+	/* We check against len-11 to ensure we have at least 12 bytes
+	   left in the patch so we can read our three be32s out of it. */
+	while (pos >= 0 && pos < (len - 11)) {
 		lt->start = getbe32(bin + pos);
 		lt->end = getbe32(bin + pos + 4);
 		lt->len = getbe32(bin + pos + 8);