Mercurial > hg
changeset 38195:9c5ced5276d6 stable 4.6.1
mpatch: avoid integer overflow in combine() (SEC)
All the callers of this function can handle a NULL return, so that
appears to be the "safe" way to report an error.
author | Augie Fackler <augie@google.com> |
---|---|
date | Mon, 30 Apr 2018 22:24:58 -0400 |
parents | 59837a16896d |
children | fc0e23c76587 |
files | mercurial/mpatch.c |
diffstat | 1 files changed, 13 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/mpatch.c Mon Apr 30 22:23:06 2018 -0400 +++ b/mercurial/mpatch.c Mon Apr 30 22:24:58 2018 -0400 @@ -247,8 +247,18 @@ /* insert new hunk */ ct = c->tail; - ct->start = bh->start - offset; - ct->end = bh->end - post; + ct->start = bh->start; + ct->end = bh->end; + if (!safesub(offset, &(ct->start)) || + !safesub(post, &(ct->end))) { + /* It was already possible to exit + * this function with a return value + * of NULL before the safesub()s were + * added, so this should be fine. */ + mpatch_lfree(c); + c = NULL; + goto done; + } ct->len = bh->len; ct->data = bh->data; c->tail++; @@ -259,7 +269,7 @@ memcpy(c->tail, a->head, sizeof(struct mpatch_frag) * lsize(a)); c->tail += lsize(a); } - +done: mpatch_lfree(a); mpatch_lfree(b); return c;