Overview

File hg-mpatch-fix09.patch of Package mercurial.8400

# HG changeset patch
# User Augie Fackler <augie@google.com>
# Date 1525141498 14400
# Node ID 9c5ced5276d6e7d54f7c3dadf5247b7ee98ec79c
# Parent  59837a16896da36d26e795881f4ba4454cb8ae41
mpatch: avoid integer overflow in combine() (SEC)

All the callers of this function can handle a NULL return, so that
appears to be the "safe" way to report an error.

---
 mercurial/mpatch.c |   16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

--- a/mercurial/mpatch.c
+++ b/mercurial/mpatch.c
@@ -248,8 +248,18 @@ static struct mpatch_flist *combine(stru
 
 			/* insert new hunk */
 			ct = c->tail;
-			ct->start = bh->start - offset;
-			ct->end = bh->end - post;
+			ct->start = bh->start;
+			ct->end = bh->end;
+			if (!safesub(offset, &(ct->start)) ||
+			    !safesub(post, &(ct->end))) {
+				/* It was already possible to exit
+				 * this function with a return value
+				 * of NULL before the safesub()s were
+				 * added, so this should be fine. */
+				mpatch_lfree(c);
+				c = NULL;
+				goto done;
+			}
 			ct->len = bh->len;
 			ct->data = bh->data;
 			c->tail++;
@@ -260,7 +270,7 @@ static struct mpatch_flist *combine(stru
 		memcpy(c->tail, a->head, sizeof(struct mpatch_frag) * lsize(a));
 		c->tail += lsize(a);
 	}
-
+done:
 	mpatch_lfree(a);
 	mpatch_lfree(b);
 	return c;
openSUSE Build Service is sponsored by
Places