mercurial: CVE-2016-3630

backported the following patches from mercurial 3.7.3: https://selenic.com/repo/hg/rev/b6ed2505d6cf https://selenic.com/repo/hg/rev/b9714d958e89
author: cinap_lenrek <cinap_lenrek@felloff.net> 2016-04-03 04:04:56 +0200
committer: cinap_lenrek <cinap_lenrek@felloff.net> 2016-04-03 04:04:56 +0200
commit: cd9cddf3dd64b01e7e54ba3a3371a8d0a5c70748 (patch)
tree: 115039ee4ae209a9972f6a2472c96a6d65322b0f /sys/lib
parent: 0237b583906353b78f9cbf2194dc083e82b8ba23 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/lib/python/mercurial/mpatch.c b/sys/lib/python/mercurial/mpatch.c
index d9ceefcae..86400d1a2 100644
--- a/sys/lib/python/mercurial/mpatch.c
+++ b/sys/lib/python/mercurial/mpatch.c
@@ -239,7 +239,7 @@ static struct flist *decode(const char *bin, int len)
 	char decode[12]; /* for dealing with alignment issues */
 
 	/* assume worst case size, we won't have many of these lists */
-	l = lalloc(len / 12);
+	l = lalloc(len / 12 + 1);
 	if (!l)
 		return NULL;
 
@@ -250,7 +250,7 @@ static struct flist *decode(const char *bin, int len)
 		lt->start = ntohl(*(uint32_t *)decode);
 		lt->end = ntohl(*(uint32_t *)(decode + 4));
 		lt->len = ntohl(*(uint32_t *)(decode + 8));
-		if (lt->start > lt->end)
+		if (lt->start > lt->end || lt->len < 0)
 			break; /* sanity check */
 		bin = data + lt->len;
 		if (bin < data)
author	cinap_lenrek <cinap_lenrek@felloff.net>	2016-04-03 04:04:56 +0200
committer	cinap_lenrek <cinap_lenrek@felloff.net>	2016-04-03 04:04:56 +0200
commit	cd9cddf3dd64b01e7e54ba3a3371a8d0a5c70748 (patch)
tree	115039ee4ae209a9972f6a2472c96a6d65322b0f /sys/lib
parent	0237b583906353b78f9cbf2194dc083e82b8ba23 (diff)