changeset 43838:a47ccdcce4f9

dirs: fix out-of-bounds access in Py3 The hack for mutating Python's variable-length integers that was ported to py3 in cb3048746dae (dirs: port PyInt code to work on Python 3, 2016-10-08) was reading from ob_digit[1] instead of ob_digit[0] for some reason. Space for ob_digit[1] would only be allocated for integers larger than 30 bits, so we ended up writing to unallocated memory. Also, we would write an integer that's 2^30 times too large, so we would never free these integers. Found by AddressSanitizer. Differential Revision: https://phab.mercurial-scm.org/D7597
author Martin von Zweigbergk <martinvonz@google.com>
date Tue, 10 Dec 2019 14:40:44 -0800
parents 8377570a36a9
children 70060915c3f2
files mercurial/cext/dirs.c
diffstat 1 files changed, 1 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial/cext/dirs.c	Wed Dec 11 11:16:12 2019 +0100
+++ b/mercurial/cext/dirs.c	Tue Dec 10 14:40:44 2019 -0800
@@ -14,7 +14,7 @@
 #include "util.h"
 
 #ifdef IS_PY3K
-#define PYLONG_VALUE(o) ((PyLongObject *)o)->ob_digit[1]
+#define PYLONG_VALUE(o) ((PyLongObject *)o)->ob_digit[0]
 #else
 #define PYLONG_VALUE(o) PyInt_AS_LONG(o)
 #endif