File hg-mpatch-fix09.patch of Package mercurial.8018

# HG changeset patch
# User Augie Fackler <augie@google.com>
# Date 1525141498 14400
# Node ID 9c5ced5276d6e7d54f7c3dadf5247b7ee98ec79c
# Parent  59837a16896da36d26e795881f4ba4454cb8ae41
mpatch: avoid integer overflow in combine() (SEC)

All the callers of this function can handle a NULL return, so that
appears to be the "safe" way to report an error.

---
 mercurial/mpatch.c |   15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

--- a/mercurial/mpatch.c
+++ b/mercurial/mpatch.c
@@ -261,8 +261,18 @@ static struct flist *combine(struct flis
 
 			/* insert new hunk */
 			ct = c->tail;
-			ct->start = bh->start - offset;
-			ct->end = bh->end - post;
+			ct->start = bh->start;
+			ct->end = bh->end;
+			if (!safesub(offset, &(ct->start)) ||
+			    !safesub(post, &(ct->end))) {
+				/* It was already possible to exit
+				 * this function with a return value
+				 * of NULL before the safesub()s were
+				 * added, so this should be fine. */
+				lfree(c);
+				c = NULL;
+				goto done;
+			}
 			ct->len = bh->len;
 			ct->data = bh->data;
 			c->tail++;
@@ -274,6 +284,7 @@ static struct flist *combine(struct flis
 		c->tail += lsize(a);
 	}
 
+done:
 	lfree(a);
 	lfree(b);
 	return c;