Overview

File hg-CVE-2018-17983.patch of Package mercurial.38124

# HG changeset patch
# User Yuya Nishihara <yuya@tcha.org>
# Date 1536150209 -32400
# Node ID 5405cb1a79010ac50c58cd84e6f50c4556bf2a4c
# Parent  e85462d48cb3a59f67a595510fc7977cba6ed358
manifest: fix out-of-bounds read of corrupted manifest entry

Spotted by ASAN.

---
 mercurial/cext/manifest.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

Index: mercurial-4.5.2/mercurial/cext/manifest.c
===================================================================
--- mercurial-4.5.2.orig/mercurial/cext/manifest.c	2025-03-20 19:38:59.213278318 +0100
+++ mercurial-4.5.2/mercurial/cext/manifest.c	2025-03-20 19:39:13.827436504 +0100
@@ -50,7 +50,12 @@
 {
 	char *s = l->start;
 	ssize_t llen = pathlen(l);
-	PyObject *hash = unhexlify(s + llen + 1, 40);
+	PyObject *hash;
+	if (llen + 1 + 40 + 1 > l->len) { /* path '\0' hash '\n' */
+		PyErr_SetString(PyExc_ValueError, "manifest line too short");
+		return NULL;
+	}
+	hash = unhexlify(s + llen + 1, 40);
 	if (!hash) {
 		return NULL;
 	}
@@ -240,10 +245,13 @@
 	pl = pathlen(l);
 	path = PyBytes_FromStringAndSize(l->start, pl);
 	hash = nodeof(l);
+	if (!path || !hash) {
+		goto done;
+	}
 	consumed = pl + 41;
 	flags = PyBytes_FromStringAndSize(l->start + consumed,
 					   l->len - consumed - 1);
-	if (!path || !hash || !flags) {
+	if (!flags) {
 		goto done;
 	}
 	ret = PyTuple_Pack(3, path, hash, flags);
openSUSE Build Service is sponsored by
Places