Patchwork D7597: dirs: fix out-of-bounds access in Py3

login
register
mail settings
Submitter phabricator
Date Dec. 10, 2019, 10:44 p.m.
Message ID <differential-rev-PHID-DREV-xufruzib7tzes3ufqy3t-req@mercurial-scm.org>
Download mbox | patch
Permalink /patch/43694/
State Superseded
Headers show

Comments

phabricator - Dec. 10, 2019, 10:44 p.m.
martinvonz created this revision.
Herald added a subscriber: mercurial-devel.
Herald added a reviewer: hg-reviewers.

REVISION SUMMARY
  The hack for mutating Python's variable-length integers that was
  ported to py3 in cb3048746dae <https://phab.mercurial-scm.org/rHGcb3048746dae7c2f512f462f4e30e9afae7c4355> (dirs: port PyInt code to work on Python
  3, 2016-10-08) was reading from ob_digit[1] instead of ob_digit[0] for
  some reason. Space for ob_digit[1] would only be allocated for
  integers larger than 30 bits, so we ended up writing to unallocated
  memory. Also, we would write an integer that's 2^30 too large, so we
  would never free these integers.
  
  Found by AddressSanitizer.

REPOSITORY
  rHG Mercurial

BRANCH
  default

REVISION DETAIL
  https://phab.mercurial-scm.org/D7597

AFFECTED FILES
  mercurial/cext/dirs.c

CHANGE DETAILS




To: martinvonz, #hg-reviewers
Cc: mercurial-devel

Patch

diff --git a/mercurial/cext/dirs.c b/mercurial/cext/dirs.c
--- a/mercurial/cext/dirs.c
+++ b/mercurial/cext/dirs.c
@@ -14,7 +14,7 @@ 
 #include "util.h"
 
 #ifdef IS_PY3K
-#define PYLONG_VALUE(o) ((PyLongObject *)o)->ob_digit[1]
+#define PYLONG_VALUE(o) ((PyLongObject *)o)->ob_digit[0]
 #else
 #define PYLONG_VALUE(o) PyInt_AS_LONG(o)
 #endif