D4151: linelog: fix infinite loop vulnerability

Submitter	phabricator
Date	Aug. 7, 2018, 12:52 p.m.
Message ID	<2b34384a3080ba1b22467a5abb25390d@localhost.localdomain>
Download	mbox \| patch
Permalink	/patch/33390/
State	Not Applicable
Headers	show Return-Path: <mercurial-devel-bounces@mercurial-scm.org> Date: Tue, 7 Aug 2018 12:52:06 +0000 To: mercurial-devel@mercurial-scm.org From: "quark (Jun Wu)" <phabricator@mercurial-scm.org> Subject: D4151: linelog: fix infinite loop vulnerability Message-ID: <2b34384a3080ba1b22467a5abb25390d@localhost.localdomain> Thread-Topic: D4151: linelog: fix infinite loop vulnerability Precedence: bulk In-Reply-To: <differential-rev-PHID-DREV-d2pxnsceitrnfvry7fvi-req@phab.mercurial-scm.org> References: <differential-rev-PHID-DREV-d2pxnsceitrnfvry7fvi-req@phab.mercurial-scm.org> Thread-Index: OTZiNDE0Y2VkMmQ4ZjExODkxY2MxNTI2OTY1IFtplfY= MIME-Version: 1.0 Reply-To: phabricator+D4151+public+c4b88a3f91ae6d93@mercurial-scm.org Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: mercurial-devel-bounces@mercurial-scm.org Sender: "Mercurial-devel" <mercurial-devel-bounces@mercurial-scm.org>

Comments

phabricator - Aug. 7, 2018, 12:52 p.m.

This revision was automatically updated to reflect the committed changes.
Closed by commit rHG27a54096c92e: linelog: fix infinite loop vulnerability (authored by quark, committed by ).

REPOSITORY
  rHG Mercurial

CHANGES SINCE LAST UPDATE
  https://phab.mercurial-scm.org/D4151?vs=10032&id=10046

REVISION DETAIL
  https://phab.mercurial-scm.org/D4151

AFFECTED FILES
  mercurial/linelog.py
  tests/test-linelog.py

CHANGE DETAILS




To: quark, #hg-reviewers
Cc: mercurial-devel

Patch

diff --git a/tests/test-linelog.py b/tests/test-linelog.py
--- a/tests/test-linelog.py
+++ b/tests/test-linelog.py
@@ -179,6 +179,15 @@ 
             ar = ll.annotate(rev)
             self.assertEqual([(l.rev, l.linenum) for l in ar], lines)
 
+    def testinfinitebadprogram(self):
+        ll = linelog.linelog.fromdata(
+            b'\x00\x00\x00\x00\x00\x00\x00\x02'  # header
+            b'\x00\x00\x00\x00\x00\x00\x00\x01'  # JUMP to self
+        )
+        with self.assertRaises(linelog.LineLogError):
+            # should not be an infinite loop and raise
+            ll.annotate(1)
+
 if __name__ == '__main__':
     import silenttestrunner
     silenttestrunner.main(__name__)
diff --git a/mercurial/linelog.py b/mercurial/linelog.py
--- a/mercurial/linelog.py
+++ b/mercurial/linelog.py
@@ -360,13 +360,15 @@ 
     def annotate(self, rev):
         pc = 1
         lines = []
-        # Sanity check: if len(lines) is longer than len(program), we
+        executed = 0
+        # Sanity check: if instructions executed exceeds len(program), we
         # hit an infinite loop in the linelog program somehow and we
         # should stop.
-        while pc is not None and len(lines) < len(self._program):
+        while pc is not None and executed < len(self._program):
             inst = self._program[pc]
             lastpc = pc
             pc = inst.execute(rev, pc, lines.append)
+            executed += 1
         if pc is not None:
             raise LineLogError(
                 'Probably hit an infinite loop in linelog. Program:\n' +

Patchwork D4151: linelog: fix infinite loop vulnerability

Comments

Patch