mpatch: ensure fragment start isn't past the end of orig (SEC)
Caught by oss-fuzz fuzzer during development.
This defect is OVE-
20180430-0004. A CVE has not been obtained as of
this writing.
--- a/mercurial/mpatch.c Sat Apr 28 02:04:56 2018 -0400
+++ b/mercurial/mpatch.c Sat Apr 28 10:09:12 2018 -0400
@@ -248,7 +248,8 @@
char *p = buf;
while (f != l->tail) {
- if (f->start < last || f->end > len || last < 0) {
+ if (f->start < last || f->start > len || f->end > len ||
+ last < 0) {
return MPATCH_ERR_INVALID_PATCH;
}
memcpy(p, orig + last, f->start - last);