blob: ab78761e40f0911face08433338b3fae7d08b98a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
# HG changeset patch
# User Matt Mackall <mpm@selenic.com>
# Date 1458174569 25200
# Node ID b6ed2505d6cf1d73f7f5c62e7369c4ce65cd3732
# Parent a2c2dd399f3b9fb84edd75a930e895f0c5e4ad5b
parsers: fix list sizing rounding error (SEC)
CVE-2016-3630 (1/2)
This addresses part of a vulnerability in application of binary
deltas.
diff -r a2c2dd399f3b -r b6ed2505d6cf mercurial/mpatch.c
--- a/mercurial/mpatch.c Fri Mar 25 10:47:49 2016 -0700
+++ b/mercurial/mpatch.c Wed Mar 16 17:29:29 2016 -0700
@@ -205,7 +205,7 @@
int pos = 0;
/* assume worst case size, we won't have many of these lists */
- l = lalloc(len / 12);
+ l = lalloc(len / 12 + 1);
if (!l)
return NULL;
diff -r a2c2dd399f3b -r b6ed2505d6cf tests/test-revlog.t
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/test-revlog.t Wed Mar 16 17:29:29 2016 -0700
@@ -0,0 +1,15 @@
+Test for CVE-2016-3630
+
+ $ hg init
+
+ >>> open("a.i", "w").write(
+ ... """eJxjYGZgZIAAYQYGxhgom+k/FMx8YKx9ZUaKSOyqo4cnuKb8mbqHV5cBCVTMWb1Cwqkhe4Gsg9AD
+ ... Joa3dYtcYYYBAQ8Qr4OqZAYRICPTSr5WKd/42rV36d+8/VmrNpv7NP1jQAXrQE4BqQUARngwVA=="""
+ ... .decode("base64").decode("zlib"))
+
+ $ hg debugindex a.i
+ rev offset length delta linkrev nodeid p1 p2
+ 0 0 19 -1 2 99e0332bd498 000000000000 000000000000
+ 1 19 12 0 3 6674f57a23d8 99e0332bd498 000000000000
+ $ hg debugdata a.i 1 2>&1 | grep decoded
+ mpatch.mpatchError: patch cannot be decoded
|
