skisela / rpms / mercurial

Forked from rpms/mercurial 5 years ago
Clone
Source Code
GIT

Blame 2-parsers-detect-short-records.diff

el4 el5 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f7 f8 f9 fc6 master
  1.   f23
  2.   2-parsers-detect-short-records.diff
Blob History Raw
1f5a365 
# HG changeset patch
1f5a365 
# User Matt Mackall <mpm@selenic.com>
1f5a365 
# Date 1458174626 25200
1f5a365 
#      Wed Mar 16 17:30:26 2016 -0700
1f5a365 
# Branch stable
1f5a365 
# Node ID b9714d958e89cd6ff1da46b46f39076c03325ac7
1f5a365 
# Parent  b6ed2505d6cf1d73f7f5c62e7369c4ce65cd3732
1f5a365 
parsers: detect short records (SEC)
1f5a365
1f5a365 
CVE-2016-3630 (2/2)
1f5a365
1f5a365 
This addresses part of a vulnerability in binary delta application.
1f5a365
1f5a365 
diff --git a/mercurial/mpatch.c b/mercurial/mpatch.c
1f5a365 
--- a/mercurial/mpatch.c
1f5a365 
+++ b/mercurial/mpatch.c
1f5a365 
@@ -215,10 +215,10 @@ static struct flist *decode(const char *
1f5a365 
 		lt->start = getbe32(bin + pos);
1f5a365 
 		lt->end = getbe32(bin + pos + 4);
1f5a365 
 		lt->len = getbe32(bin + pos + 8);
1f5a365 
-		if (lt->start > lt->end)
1f5a365 
-			break; /* sanity check */
1f5a365 
 		lt->data = bin + pos + 12;
1f5a365 
 		pos += 12 + lt->len;
1f5a365 
+		if (lt->start > lt->end || lt->len < 0)
1f5a365 
+			break; /* sanity check */
1f5a365 
 		lt++;
1f5a365 
 	}
1f5a365
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.