Mercurial Mercurial > hg / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | zip | gz | bz2 | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mpatch: be more careful about parsing binary patch data (SEC) stable
authorAugie Fackler <augie@google.com>
Sat, 28 Apr 2018 00:42:16 -0400
branchstable
changeset 38187 90a274965de7
parent 38186 c0081d3e1598
child 38188 1acfc35d478c
mpatch: be more careful about parsing binary patch data (SEC) It appears to have been possible to trivially walk off the end of an allocated region with a malformed patch. Oops. Caught when writing an mpatch fuzzer for oss-fuzz. This defect is OVE-20180430-0001. A CVE has not been obtained as of this writing.
mercurial/mpatch.c file | annotate | diff | comparison | revisions 
--- a/mercurial/mpatch.c	Wed Jun 06 09:14:33 2018 -0700
+++ b/mercurial/mpatch.c	Sat Apr 28 00:42:16 2018 -0400
@@ -197,7 +197,9 @@
 
 	lt = l->tail;
 
-	while (pos >= 0 && pos < len) {
+	/* We check against len-11 to ensure we have at least 12 bytes
+	   left in the patch so we can read our three be32s out of it. */
+	while (pos >= 0 && pos < (len - 11)) {
 		lt->start = getbe32(bin + pos);
 		lt->end = getbe32(bin + pos + 4);
 		lt->len = getbe32(bin + pos + 8);
Mercurial