dirs: fix out-of-bounds access in Py3
authorMartin von Zweigbergk <martinvonz@google.com>
Tue, 10 Dec 2019 14:40:44 -0800
changeset 43838 a47ccdcce4f9
parent 43837 8377570a36a9
child 43839 70060915c3f2
dirs: fix out-of-bounds access in Py3 The hack for mutating Python's variable-length integers that was ported to py3 in cb3048746dae (dirs: port PyInt code to work on Python 3, 2016-10-08) was reading from ob_digit[1] instead of ob_digit[0] for some reason. Space for ob_digit[1] would only be allocated for integers larger than 30 bits, so we ended up writing to unallocated memory. Also, we would write an integer that's 2^30 times too large, so we would never free these integers. Found by AddressSanitizer. Differential Revision: https://phab.mercurial-scm.org/D7597
mercurial/cext/dirs.c
--- a/mercurial/cext/dirs.c	Wed Dec 11 11:16:12 2019 +0100
+++ b/mercurial/cext/dirs.c	Tue Dec 10 14:40:44 2019 -0800
@@ -14,7 +14,7 @@
 #include "util.h"
 
 #ifdef IS_PY3K
-#define PYLONG_VALUE(o) ((PyLongObject *)o)->ob_digit[1]
+#define PYLONG_VALUE(o) ((PyLongObject *)o)->ob_digit[0]
 #else
 #define PYLONG_VALUE(o) PyInt_AS_LONG(o)
 #endif