[PATCH] Fix segfaults when parsing bdiff hunks in mpatch.decode() and .patchedsize()

Benoit Boissinot bboissin at gmail.com
Sat Jan 27 17:53:25 CST 2007


On 1/27/07, Thomas Arendsen Hein <thomas at intevation.de> wrote:
> Hi!
>
> I plan to push this to crew-stable, but like to have comments first.
> Is this problem security relevant? (Segfaults, but only reads)
> Does the patch make decode and patchedsize bullet proof?
>
It fixes a segfault I discovered earlier using zzuf (a fuzzer
available at http://sam.zoy.org/zzuf/). The segfault happened in the
apply function where we patch the buffer, so maybe it is exploitable.

the backtrace was:
(gdb) bt
#0  0xb7e3437c in memcpy () from /lib/tls/i686/cmov/libc.so.6
#1  0xb79e315c in patches (self=0x0, args=0xb7c56b0c) at mercurial/mpatch.c:291

regards,

Benoit


More information about the Mercurial-devel mailing list