Fossil SCM
Pervent integer overflow caused by a malicious delta.
Commit
2b660bd17402689777da04b4984fdf24cfd71048ade72a92e1b3a9f814f07a8b
Parent
9c2741ec927bc58…
1 file changed
+1
-1
+1
-1
| --- src/delta.c | ||
| +++ src/delta.c | ||
| @@ -602,11 +602,11 @@ | ||
| 602 | 602 | total += cnt; |
| 603 | 603 | if( total>limit ){ |
| 604 | 604 | /* ERROR: copy exceeds output file size */ |
| 605 | 605 | return -1; |
| 606 | 606 | } |
| 607 | - if( (int)(ofst+cnt) > lenSrc ){ | |
| 607 | + if( (u64)ofst+(u64)cnt > (u64)lenSrc ){ | |
| 608 | 608 | /* ERROR: copy extends past end of input */ |
| 609 | 609 | return -1; |
| 610 | 610 | } |
| 611 | 611 | memcpy(zOut, &zSrc[ofst], cnt); |
| 612 | 612 | zOut += cnt; |
| 613 | 613 |
| --- src/delta.c | |
| +++ src/delta.c | |
| @@ -602,11 +602,11 @@ | |
| 602 | total += cnt; |
| 603 | if( total>limit ){ |
| 604 | /* ERROR: copy exceeds output file size */ |
| 605 | return -1; |
| 606 | } |
| 607 | if( (int)(ofst+cnt) > lenSrc ){ |
| 608 | /* ERROR: copy extends past end of input */ |
| 609 | return -1; |
| 610 | } |
| 611 | memcpy(zOut, &zSrc[ofst], cnt); |
| 612 | zOut += cnt; |
| 613 |
| --- src/delta.c | |
| +++ src/delta.c | |
| @@ -602,11 +602,11 @@ | |
| 602 | total += cnt; |
| 603 | if( total>limit ){ |
| 604 | /* ERROR: copy exceeds output file size */ |
| 605 | return -1; |
| 606 | } |
| 607 | if( (u64)ofst+(u64)cnt > (u64)lenSrc ){ |
| 608 | /* ERROR: copy extends past end of input */ |
| 609 | return -1; |
| 610 | } |
| 611 | memcpy(zOut, &zSrc[ofst], cnt); |
| 612 | zOut += cnt; |
| 613 |