D5464: parsers: better bounds checking in fm1readmarkers

durin42 (Augie Fackler) phabricator at mercurial-scm.org
Thu Dec 20 06:41:34 UTC 2018


durin42 created this revision.
Herald added a subscriber: mercurial-devel.
Herald added a reviewer: hg-reviewers.

REVISION SUMMARY
  Our Python already calls this with reasonable values consistently, but
  my upcoming fuzzer is extremely quick to discover the lack of sanity
  checking here.

REPOSITORY
  rHG Mercurial

REVISION DETAIL
  https://phab.mercurial-scm.org/D5464

AFFECTED FILES
  mercurial/cext/parsers.c

CHANGE DETAILS

diff --git a/mercurial/cext/parsers.c b/mercurial/cext/parsers.c
--- a/mercurial/cext/parsers.c
+++ b/mercurial/cext/parsers.c
@@ -572,6 +572,17 @@
 	                      &offset, &stop)) {
 		return NULL;
 	}
+	if (offset < 0) {
+		PyErr_SetString(PyExc_ValueError,
+		                "invalid negative offset in fm1readmarkers");
+		return NULL;
+	}
+	if (stop > datalen) {
+		PyErr_SetString(
+		    PyExc_ValueError,
+		    "stop longer than data length in fm1readmarkers");
+		return NULL;
+	}
 	dataend = data + datalen;
 	data += offset;
 	markers = PyList_New(0);



To: durin42, #hg-reviewers
Cc: mercurial-devel


More information about the Mercurial-devel mailing list