[PATCH] Fix segfaults when parsing bdiff hunks in
mpatch.decode() and .patchedsize()
bboissin at gmail.com
Sat Jan 27 17:53:25 CST 2007
On 1/27/07, Thomas Arendsen Hein <thomas at intevation.de> wrote:
> I plan to push this to crew-stable, but like to have comments first.
> Is this problem security relevant? (Segfaults, but only reads)
> Does the patch make decode and patchedsize bullet proof?
It fixes a segfault I discovered earlier using zzuf (a fuzzer
available at http://sam.zoy.org/zzuf/). The segfault happened in the
apply function where we patch the buffer, so maybe it is exploitable.
the backtrace was:
#0 0xb7e3437c in memcpy () from /lib/tls/i686/cmov/libc.so.6
#1 0xb79e315c in patches (self=0x0, args=0xb7c56b0c) at mercurial/mpatch.c:291
More information about the Mercurial-devel