D3729: bitmanipulation: fix undefined behavior in bit shift in getbe32
durin42 (Augie Fackler)
phabricator at mercurial-scm.org
Wed Jun 13 14:25:02 UTC 2018
durin42 created this revision.
Herald added a subscriber: mercurial-devel.
Herald added a reviewer: hg-reviewers.
REVISION SUMMARY
OSS-Fuzz caught this in its ubsan mode[0]. I'm not worried about a
security issue here because in practice this should work out the way
we naively expected, we're just making things explicit to the
compiler with the casts.
0: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8876
REPOSITORY
rHG Mercurial
REVISION DETAIL
https://phab.mercurial-scm.org/D3729
AFFECTED FILES
contrib/fuzz/mpatch_corpus.py
mercurial/bitmanipulation.h
CHANGE DETAILS
diff --git a/mercurial/bitmanipulation.h b/mercurial/bitmanipulation.h
--- a/mercurial/bitmanipulation.h
+++ b/mercurial/bitmanipulation.h
@@ -9,7 +9,8 @@
{
const unsigned char *d = (const unsigned char *)c;
- return ((d[0] << 24) | (d[1] << 16) | (d[2] << 8) | (d[3]));
+ return ((((uint32_t)d[0]) << 24) | (((uint32_t)d[1]) << 16) |
+ (((uint32_t)d[2]) << 8) | (d[3]));
}
static inline int16_t getbeint16(const char *c)
diff --git a/contrib/fuzz/mpatch_corpus.py b/contrib/fuzz/mpatch_corpus.py
--- a/contrib/fuzz/mpatch_corpus.py
+++ b/contrib/fuzz/mpatch_corpus.py
@@ -78,6 +78,10 @@
zf.writestr(
"mpatch_decode_old_overread", "\x02\x00\x00\x00\x02\x00\x00\x00"
)
+ # https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8876
+ zf.writestr(
+ "mpatch_ossfuzz_getbe32_ubsan",
+ "\x02\x00\x00\x00\x0c \xff\xff\xff\xff ")
zf.writestr(
"mpatch_apply_over_memcpy",
'\x13\x01\x00\x05\xd0\x00\x00\x00\x00\x00\x00\x00\x00\n \x00\x00\x00'
To: durin42, #hg-reviewers
Cc: mercurial-devel
More information about the Mercurial-devel
mailing list