xfnw/plan9fox
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

mercurial: CVE-2016-3630

Browse source 
backported the following patches from mercurial 3.7.3:

b6ed2505d6
b9714d958e
This commit is contained in:
cinap_lenrek 2016-04-03 04:04:56 +02:00
parent 0237b58390
commit cd9cddf3dd
2 changed files with 4 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

4
sys/lib/python/mercurial/mpatch.c
View file

@ -239,7 +239,7 @@ static struct flist *decode(const char *bin, int len)
char decode[12]; /* for dealing with alignment issues */ char decode[12]; /* for dealing with alignment issues */
/* assume worst case size, we won't have many of these lists */ /* assume worst case size, we won't have many of these lists */
l = lalloc(len / 12); l = lalloc(len / 12 + 1);
if (!l) if (!l)
return NULL; return NULL;
@ -250,7 +250,7 @@ static struct flist *decode(const char *bin, int len)
lt->start = ntohl(*(uint32_t *)decode); lt->start = ntohl(*(uint32_t *)decode);
lt->end = ntohl(*(uint32_t *)(decode + 4)); lt->end = ntohl(*(uint32_t *)(decode + 4));
lt->len = ntohl(*(uint32_t *)(decode + 8)); lt->len = ntohl(*(uint32_t *)(decode + 8));
if (lt->start > lt->end) if (lt->start > lt->end || lt->len < 0)
break; /* sanity check */ break; /* sanity check */
bin = data + lt->len; bin = data + lt->len;
if (bin < data) if (bin < data)

4
sys/src/cmd/hg/mercurial/mpatch.c
View file

@ -239,7 +239,7 @@ static struct flist *decode(const char *bin, int len)
char decode[12]; /* for dealing with alignment issues */ char decode[12]; /* for dealing with alignment issues */
/* assume worst case size, we won't have many of these lists */ /* assume worst case size, we won't have many of these lists */
l = lalloc(len / 12); l = lalloc(len / 12 + 1);
if (!l) if (!l)
return NULL; return NULL;
@ -250,7 +250,7 @@ static struct flist *decode(const char *bin, int len)
lt->start = ntohl(*(uint32_t *)decode); lt->start = ntohl(*(uint32_t *)decode);
lt->end = ntohl(*(uint32_t *)(decode + 4)); lt->end = ntohl(*(uint32_t *)(decode + 4));
lt->len = ntohl(*(uint32_t *)(decode + 8)); lt->len = ntohl(*(uint32_t *)(decode + 8));
if (lt->start > lt->end) if (lt->start > lt->end || lt->len < 0)
break; /* sanity check */ break; /* sanity check */
bin = data + lt->len; bin = data + lt->len;
if (bin < data) if (bin < data)