ref: cd9cddf3dd64b01e7e54ba3a3371a8d0a5c70748
parent: 0237b583906353b78f9cbf2194dc083e82b8ba23
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Sun Apr 3 00:04:56 EDT 2016
mercurial: CVE-2016-3630 backported the following patches from mercurial 3.7.3: https://selenic.com/repo/hg/rev/b6ed2505d6cf https://selenic.com/repo/hg/rev/b9714d958e89
--- a/sys/lib/python/mercurial/mpatch.c
+++ b/sys/lib/python/mercurial/mpatch.c
@@ -239,7 +239,7 @@
char decode[12]; /* for dealing with alignment issues */
/* assume worst case size, we won't have many of these lists */
- l = lalloc(len / 12);
+ l = lalloc(len / 12 + 1);
if (!l)
return NULL;
@@ -250,7 +250,7 @@
lt->start = ntohl(*(uint32_t *)decode);
lt->end = ntohl(*(uint32_t *)(decode + 4));
lt->len = ntohl(*(uint32_t *)(decode + 8));
- if (lt->start > lt->end)
+ if (lt->start > lt->end || lt->len < 0)
break; /* sanity check */
bin = data + lt->len;
if (bin < data)
--- a/sys/src/cmd/hg/mercurial/mpatch.c
+++ b/sys/src/cmd/hg/mercurial/mpatch.c
@@ -239,7 +239,7 @@
char decode[12]; /* for dealing with alignment issues */
/* assume worst case size, we won't have many of these lists */
- l = lalloc(len / 12);
+ l = lalloc(len / 12 + 1);
if (!l)
return NULL;
@@ -250,7 +250,7 @@
lt->start = ntohl(*(uint32_t *)decode);
lt->end = ntohl(*(uint32_t *)(decode + 4));
lt->len = ntohl(*(uint32_t *)(decode + 8));
- if (lt->start > lt->end)
+ if (lt->start > lt->end || lt->len < 0)
break; /* sanity check */
bin = data + lt->len;
if (bin < data)