Mercurial > hg
changeset 43838:a47ccdcce4f9
dirs: fix out-of-bounds access in Py3
The hack for mutating Python's variable-length integers that was
ported to py3 in cb3048746dae (dirs: port PyInt code to work on Python
3, 2016-10-08) was reading from ob_digit[1] instead of ob_digit[0] for
some reason. Space for ob_digit[1] would only be allocated for
integers larger than 30 bits, so we ended up writing to unallocated
memory. Also, we would write an integer that's 2^30 times too large,
so we would never free these integers.
Found by AddressSanitizer.
Differential Revision: https://phab.mercurial-scm.org/D7597
author | Martin von Zweigbergk <martinvonz@google.com> |
---|---|
date | Tue, 10 Dec 2019 14:40:44 -0800 |
parents | 8377570a36a9 |
children | 70060915c3f2 |
files | mercurial/cext/dirs.c |
diffstat | 1 files changed, 1 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/cext/dirs.c Wed Dec 11 11:16:12 2019 +0100 +++ b/mercurial/cext/dirs.c Tue Dec 10 14:40:44 2019 -0800 @@ -14,7 +14,7 @@ #include "util.h" #ifdef IS_PY3K -#define PYLONG_VALUE(o) ((PyLongObject *)o)->ob_digit[1] +#define PYLONG_VALUE(o) ((PyLongObject *)o)->ob_digit[0] #else #define PYLONG_VALUE(o) PyInt_AS_LONG(o) #endif