From cd9cddf3dd64b01e7e54ba3a3371a8d0a5c70748 Mon Sep 17 00:00:00 2001 From: cinap_lenrek Date: Sun, 3 Apr 2016 04:04:56 +0200 Subject: [PATCH] mercurial: CVE-2016-3630 backported the following patches from mercurial 3.7.3: https://selenic.com/repo/hg/rev/b6ed2505d6cf https://selenic.com/repo/hg/rev/b9714d958e89 --- sys/lib/python/mercurial/mpatch.c | 4 ++-- sys/src/cmd/hg/mercurial/mpatch.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/sys/lib/python/mercurial/mpatch.c b/sys/lib/python/mercurial/mpatch.c index d9ceefcae..86400d1a2 100644 --- a/sys/lib/python/mercurial/mpatch.c +++ b/sys/lib/python/mercurial/mpatch.c @@ -239,7 +239,7 @@ static struct flist *decode(const char *bin, int len) char decode[12]; /* for dealing with alignment issues */ /* assume worst case size, we won't have many of these lists */ - l = lalloc(len / 12); + l = lalloc(len / 12 + 1); if (!l) return NULL; @@ -250,7 +250,7 @@ static struct flist *decode(const char *bin, int len) lt->start = ntohl(*(uint32_t *)decode); lt->end = ntohl(*(uint32_t *)(decode + 4)); lt->len = ntohl(*(uint32_t *)(decode + 8)); - if (lt->start > lt->end) + if (lt->start > lt->end || lt->len < 0) break; /* sanity check */ bin = data + lt->len; if (bin < data) diff --git a/sys/src/cmd/hg/mercurial/mpatch.c b/sys/src/cmd/hg/mercurial/mpatch.c index d9ceefcae..86400d1a2 100644 --- a/sys/src/cmd/hg/mercurial/mpatch.c +++ b/sys/src/cmd/hg/mercurial/mpatch.c @@ -239,7 +239,7 @@ static struct flist *decode(const char *bin, int len) char decode[12]; /* for dealing with alignment issues */ /* assume worst case size, we won't have many of these lists */ - l = lalloc(len / 12); + l = lalloc(len / 12 + 1); if (!l) return NULL; @@ -250,7 +250,7 @@ static struct flist *decode(const char *bin, int len) lt->start = ntohl(*(uint32_t *)decode); lt->end = ntohl(*(uint32_t *)(decode + 4)); lt->len = ntohl(*(uint32_t *)(decode + 8)); - if (lt->start > lt->end) + if (lt->start > lt->end || lt->len < 0) break; /* sanity check */ bin = data + lt->len; if (bin < data)