File hg-mpatch-fix01.patch of Package mercurial.8018

# HG changeset patch
# User Augie Fackler <augie@google.com>
# Date 1524890536 14400
# Node ID 90a274965de74cb0b4bea01a564b29b12a6af814
# Parent  c0081d3e1598e0c82cf5024422dc206db83687de
mpatch: be more careful about parsing binary patch data (SEC)

It appears to have been possible to trivially walk off the end of an
allocated region with a malformed patch. Oops.

Caught when writing an mpatch fuzzer for oss-fuzz.

This defect is OVE-20180430-0001. A CVE has not been obtained as of
this writing.

---
 mercurial/mpatch.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/mercurial/mpatch.c
+++ b/mercurial/mpatch.c
@@ -211,7 +211,9 @@ static struct flist *decode(const char *
 
 	lt = l->tail;
 
-	while (pos >= 0 && pos < len) {
+	/* We check against len-11 to ensure we have at least 12 bytes
+	   left in the patch so we can read our three be32s out of it. */
+	while (pos >= 0 && pos < (len - 11)) {
 		lt->start = getbe32(bin + pos);
 		lt->end = getbe32(bin + pos + 4);
 		lt->len = getbe32(bin + pos + 8);

Places

File hg-mpatch-fix01.patch of Package mercurial.8018

Places