Patchwork [STABLE] parsers: fix parse_dirstate to check len before unpacking header (issue4979)

login
register
mail settings
Submitter Yuya Nishihara
Date Dec. 2, 2015, 3:01 p.m.
Message ID <f5e8cb813a4d5c0665c7.1449068515@mimosa>
Download mbox | patch
Permalink /patch/11745/
State Accepted
Headers show

Comments

Yuya Nishihara - Dec. 2, 2015, 3:01 p.m.
# HG changeset patch
# User Yuya Nishihara <yuya@tcha.org>
# Date 1449065098 -32400
#      Wed Dec 02 23:04:58 2015 +0900
# Branch stable
# Node ID f5e8cb813a4d5c0665c7e144d96810b4763c42d1
# Parent  7e1fac6c0a9ce6afd3edeed5e47bcca343155d8a
parsers: fix parse_dirstate to check len before unpacking header (issue4979)
Augie Fackler - Dec. 2, 2015, 3:35 p.m.
On Thu, Dec 03, 2015 at 12:01:55AM +0900, Yuya Nishihara wrote:
> # HG changeset patch
> # User Yuya Nishihara <yuya@tcha.org>
> # Date 1449065098 -32400
> #      Wed Dec 02 23:04:58 2015 +0900
> # Branch stable
> # Node ID f5e8cb813a4d5c0665c7e144d96810b4763c42d1
> # Parent  7e1fac6c0a9ce6afd3edeed5e47bcca343155d8a
> parsers: fix parse_dirstate to check len before unpacking header (issue4979)

Sure, queued for stable since it's such a trivial crasher fix.

>
> diff --git a/mercurial/parsers.c b/mercurial/parsers.c
> --- a/mercurial/parsers.c
> +++ b/mercurial/parsers.c
> @@ -493,6 +493,11 @@ static PyObject *parse_dirstate(PyObject
>
>       /* read filenames */
>       while (pos >= 40 && pos < len) {
> +		if (pos + 17 > len) {
> +			PyErr_SetString(PyExc_ValueError,
> +					"overflow in dirstate");
> +			goto quit;
> +		}
>               cur = str + pos;
>               /* unpack header */
>               state = *cur;
> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel@selenic.com
> https://selenic.com/mailman/listinfo/mercurial-devel

Patch

diff --git a/mercurial/parsers.c b/mercurial/parsers.c
--- a/mercurial/parsers.c
+++ b/mercurial/parsers.c
@@ -493,6 +493,11 @@  static PyObject *parse_dirstate(PyObject
 
 	/* read filenames */
 	while (pos >= 40 && pos < len) {
+		if (pos + 17 > len) {
+			PyErr_SetString(PyExc_ValueError,
+					"overflow in dirstate");
+			goto quit;
+		}
 		cur = str + pos;
 		/* unpack header */
 		state = *cur;