File hg-mpatch-fix01.patch of Package mercurial

Overview Repositories Revisions Requests Users Attributes Meta

File hg-mpatch-fix01.patch of Package mercurial

# HG changeset patch
# User Augie Fackler <augie@google.com>
# Date 1524890536 14400
# Node ID 90a274965de74cb0b4bea01a564b29b12a6af814
# Parent  c0081d3e1598e0c82cf5024422dc206db83687de
mpatch: be more careful about parsing binary patch data (SEC)

It appears to have been possible to trivially walk off the end of an
allocated region with a malformed patch. Oops.

Caught when writing an mpatch fuzzer for oss-fuzz.

This defect is OVE-20180430-0001. A CVE has not been obtained as of
this writing.

diff -r c0081d3e1598 -r 90a274965de7 mercurial/mpatch.c
--- a/mercurial/mpatch.c	Wed Jun 06 09:14:33 2018 -0700
+++ b/mercurial/mpatch.c	Sat Apr 28 00:42:16 2018 -0400
@@ -197,7 +197,9 @@
 
 	lt = l->tail;
 
-	while (pos >= 0 && pos < len) {
+	/* We check against len-11 to ensure we have at least 12 bytes
+	   left in the patch so we can read our three be32s out of it. */
+	while (pos >= 0 && pos < (len - 11)) {
 		lt->start = getbe32(bin + pos);
 		lt->end = getbe32(bin + pos + 4);
 		lt->len = getbe32(bin + pos + 8);

Places

File hg-mpatch-fix01.patch of Package mercurial

Places