This is an archive of the discontinued Mercurial Phabricator instance.

dirs: fix out-of-bounds access in Py3
ClosedPublic

Authored by martinvonz on Dec 10 2019, 5:44 PM.

Download Raw Diff

Details

Reviewers

spectral
pulkit

Group Reviewers

hg-reviewers

Commits

rHGa47ccdcce4f9: dirs: fix out-of-bounds access in Py3

Summary

The hack for mutating Python's variable-length integers that was
ported to py3 in cb3048746dae (dirs: port PyInt code to work on Python
3, 2016-10-08) was reading from ob_digit[1] instead of ob_digit[0] for
some reason. Space for ob_digit[1] would only be allocated for
integers larger than 30 bits, so we ended up writing to unallocated
memory. Also, we would write an integer that's 2^30 times too large,
so we would never free these integers.

Found by AddressSanitizer.

Diff Detail

Repository

rHG Mercurial

Branch

default

Lint

No Linters Available

Unit

No Unit Test Coverage

Event Timeline

martinvonz created this revision.Dec 10 2019, 5:44 PM

Herald added a reviewer: hg-reviewers. · View Herald TranscriptDec 10 2019, 5:44 PM

Herald added a subscriber: mercurial-devel. · View Herald Transcript

spectral accepted this revision.Dec 10 2019, 5:56 PM

martinvonz edited the summary of this revision. (Show Details)Dec 10 2019, 6:11 PM

pulkit accepted this revision.Dec 11 2019, 5:51 AM

This revision is now accepted and ready to land.Dec 11 2019, 5:51 AM

martinvonz added a commit: rHGa47ccdcce4f9: dirs: fix out-of-bounds access in Py3.Dec 11 2019, 6:54 AM

Closed by commit rHGa47ccdcce4f9: dirs: fix out-of-bounds access in Py3 (authored by martinvonz). · Explain Why

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

			Path	Packages
M			mercurial/cext/dirs.c (2 lines)

Commit	Parents	Author	Summary	Date
8c1f8ff98290	85501913a8ab	Martin von Zweigbergk		Dec 10 2019, 5:40 PM

Diff 18591

mercurial/cext/dirs.c

	/*			/*
	dirs.c - dynamic directory diddling for dirstates			dirs.c - dynamic directory diddling for dirstates

	Copyright 2013 Facebook			Copyright 2013 Facebook

	This software may be used and distributed according to the terms of			This software may be used and distributed according to the terms of
	the GNU General Public License, incorporated herein by reference.			the GNU General Public License, incorporated herein by reference.
	*/			*/

	#define PY_SSIZE_T_CLEAN			#define PY_SSIZE_T_CLEAN
	#include <Python.h>			#include <Python.h>
	#include <string.h>			#include <string.h>

	#include "util.h"			#include "util.h"

	#ifdef IS_PY3K			#ifdef IS_PY3K
	#define PYLONG_VALUE(o) ((PyLongObject *)o)->ob_digit[1]			#define PYLONG_VALUE(o) ((PyLongObject *)o)->ob_digit[0]
	#else			#else
	#define PYLONG_VALUE(o) PyInt_AS_LONG(o)			#define PYLONG_VALUE(o) PyInt_AS_LONG(o)
	#endif			#endif

	/*			/*
	* This is a multiset of directory names, built from the files that			* This is a multiset of directory names, built from the files that
	* appear in a dirstate or manifest.			* appear in a dirstate or manifest.
	*			*

Diff	ID	Description	Created	Lint	Unit
Base		Base
Diff 1	18591		Dec 10 2019, 5:44 PM	★	★
Diff 2	18602	rHGa47ccdcce4f9a623746bef4dded54b7a2af5217a	Dec 10 2019, 5:40 PM	★	★