Patchwork [4,of,5,FOLLOW-UP] revlog: properly detect corrupted revlog in `index_get_length`

login
register
mail settings
Submitter Boris Feld
Date Nov. 26, 2018, 6:33 p.m.
Message ID <7dc2fade8ee58c0554b6.1543257233@localhost.localdomain>
Download mbox | patch
Permalink /patch/36789/
State Accepted
Headers show

Comments

Boris Feld - Nov. 26, 2018, 6:33 p.m.
# HG changeset patch
# User Boris Feld <boris.feld@octobus.net>
# Date 1543188069 -3600
#      Mon Nov 26 00:21:09 2018 +0100
# Node ID 7dc2fade8ee58c0554b6f25484a4481ac625ce84
# Parent  9e936fdbd084acef9ca4edf998024896a30a0937
# EXP-Topic follow-up-yuya
# Available At https://bitbucket.org/octobus/mercurial-devel/
#              hg pull https://bitbucket.org/octobus/mercurial-devel/ -r 7dc2fade8ee5
revlog: properly detect corrupted revlog in `index_get_length`

Pointed out by Yuya Nishihara.

Patch

diff --git a/mercurial/cext/revlog.c b/mercurial/cext/revlog.c
--- a/mercurial/cext/revlog.c
+++ b/mercurial/cext/revlog.c
@@ -242,7 +242,14 @@  static inline int index_get_length(index
 		return (int)ret;
 	} else {
 		const char *data = index_deref(self, rev);
-		return (int)getbe32(data + 8);
+		int tmp = (int)getbe32(data + 8);
+		if (tmp < 0) {
+			PyErr_Format(PyExc_OverflowError,
+			             "revlog entry size out of bound (%d)",
+			             tmp);
+			return -1;
+		}
+		return tmp;
 	}
 }