Fossil SCM
Fix a possible buffer overrun in the delta_apply() routine if handed an invalid delta.
Commit
174d61b90a7e4fe366f5914b80facb220d1cee7a
Parent
52aa366c18eda99…
1 file changed
+1
-1
+1
-1
| --- src/delta.c | ||
| +++ src/delta.c | ||
| @@ -536,11 +536,11 @@ | ||
| 536 | 536 | cnt = getInt(&zDelta, &lenDelta); |
| 537 | 537 | switch( zDelta[0] ){ |
| 538 | 538 | case '@': { |
| 539 | 539 | zDelta++; lenDelta--; |
| 540 | 540 | ofst = getInt(&zDelta, &lenDelta); |
| 541 | - if( zDelta[0]!=',' ){ | |
| 541 | + if( lenDelta>0 && zDelta[0]!=',' ){ | |
| 542 | 542 | /* ERROR: copy command not terminated by ',' */ |
| 543 | 543 | return -1; |
| 544 | 544 | } |
| 545 | 545 | zDelta++; lenDelta--; |
| 546 | 546 | DEBUG1( printf("COPY %d from %d\n", cnt, ofst); ) |
| 547 | 547 |
| --- src/delta.c | |
| +++ src/delta.c | |
| @@ -536,11 +536,11 @@ | |
| 536 | cnt = getInt(&zDelta, &lenDelta); |
| 537 | switch( zDelta[0] ){ |
| 538 | case '@': { |
| 539 | zDelta++; lenDelta--; |
| 540 | ofst = getInt(&zDelta, &lenDelta); |
| 541 | if( zDelta[0]!=',' ){ |
| 542 | /* ERROR: copy command not terminated by ',' */ |
| 543 | return -1; |
| 544 | } |
| 545 | zDelta++; lenDelta--; |
| 546 | DEBUG1( printf("COPY %d from %d\n", cnt, ofst); ) |
| 547 |
| --- src/delta.c | |
| +++ src/delta.c | |
| @@ -536,11 +536,11 @@ | |
| 536 | cnt = getInt(&zDelta, &lenDelta); |
| 537 | switch( zDelta[0] ){ |
| 538 | case '@': { |
| 539 | zDelta++; lenDelta--; |
| 540 | ofst = getInt(&zDelta, &lenDelta); |
| 541 | if( lenDelta>0 && zDelta[0]!=',' ){ |
| 542 | /* ERROR: copy command not terminated by ',' */ |
| 543 | return -1; |
| 544 | } |
| 545 | zDelta++; lenDelta--; |
| 546 | DEBUG1( printf("COPY %d from %d\n", cnt, ofst); ) |
| 547 |