summaryrefslogtreecommitdiff
path: root/cvs/CVE-2010-3846.diff
blob: 6ba838f8c65f1fe6c3a698a3ce1fc21a5bc31c31 (plain) 
    1 See http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3846 for more information.
    2 Origin: http://cvs.savannah.gnu.org/viewvc/cvs/ccvs/src/rcs.c?r1=1.262.4.65&r2=1.262.4.66&sortby=rev&view=patch
    3 --- rcs.c	2008/05/07 15:34:16	1.262.4.65
    4 +++ rcs.c	2010/10/21 13:24:15	1.262.4.66
    5 @@ -7128,7 +7128,7 @@
    6      struct deltafrag *dfhead;
    7      struct deltafrag **dftail;
    8      struct deltafrag *df;
    9 -    unsigned long numlines, lastmodline, offset;
   10 +    unsigned long numlines, offset;
   11      struct linevector lines;
   12      int err;
   13  
   14 @@ -7202,12 +7202,12 @@
   15  
   16      /* New temp data structure to hold new org before
   17         copy back into original structure. */
   18 -    lines.nlines = lines.lines_alloced = numlines;
   19 +    lines.lines_alloced = numlines;
   20      lines.vector = xmalloc (numlines * sizeof *lines.vector);
   21  
   22      /* We changed the list order to first to last -- so the
   23         list never gets larger than the size numlines. */
   24 -    lastmodline = 0; 
   25 +    lines.nlines = 0; 
   26  
   27      /* offset created when adding/removing lines
   28         between new and original structure */
   29 @@ -7216,25 +7216,24 @@
   30      for (df = dfhead; df != NULL; )
   31      {
   32  	unsigned int ln;
   33 -	unsigned long deltaend;
   34 +	unsigned long newpos = df->pos - offset;
   35  
   36 -	if (df->pos > orig_lines->nlines)
   37 +	if (newpos < lines.nlines || newpos > numlines)
   38  	    err = 1;
   39  
   40  	/* On error, just free the rest of the list.  */
   41  	if (!err)
   42  	{
   43 -	    /* Here we need to get to the line where the next insert will
   44 +	    /* Here we need to get to the line where the next change will
   45  	       begin, which is DF->pos in ORIG_LINES.  We will fill up to
   46  	       DF->pos - OFFSET in LINES with original items.  */
   47 -	    for (deltaend = df->pos - offset;
   48 -		 lastmodline < deltaend;
   49 -		 lastmodline++)
   50 +	    while (lines.nlines < newpos)
   51  	    {
   52  		/* we need to copy from the orig structure into new one */
   53 -		lines.vector[lastmodline] =
   54 -			orig_lines->vector[lastmodline + offset];
   55 -		lines.vector[lastmodline]->refcount++;
   56 +		lines.vector[lines.nlines] =
   57 +			orig_lines->vector[lines.nlines + offset];
   58 +		lines.vector[lines.nlines]->refcount++;
   59 +		lines.nlines++;
   60  	    }
   61  
   62  	    switch (df->type)
   63 @@ -7246,7 +7245,12 @@
   64  		    struct line *q;
   65  		    int nextline_newline;
   66  		    size_t nextline_len;
   67 -		
   68 +
   69 +		    if (newpos + df->nlines > numlines)
   70 +		    {
   71 +			err = 1;
   72 +			break;
   73 +		    }
   74  		    textend = df->new_lines + df->len;
   75  		    nextline_newline = 0;
   76  		    nextline_text = df->new_lines;
   77 @@ -7271,8 +7275,7 @@
   78  			    q->has_newline = nextline_newline;
   79  			    q->refcount = 1;
   80  			    memcpy (q->text, nextline_text, nextline_len);
   81 -			    lines.vector[lastmodline++] = q;
   82 -			    offset--;
   83 +			    lines.vector[lines.nlines++] = q;
   84  		    
   85  			    nextline_text = (char *)p + 1;
   86  			    nextline_newline = 0;
   87 @@ -7286,11 +7289,11 @@
   88  		    q->has_newline = nextline_newline;
   89  		    q->refcount = 1;
   90  		    memcpy (q->text, nextline_text, nextline_len);
   91 -		    lines.vector[lastmodline++] = q;
   92 +		    lines.vector[lines.nlines++] = q;
   93  
   94  		    /* For each line we add the offset between the #'s
   95  		       decreases. */
   96 -		    offset--;
   97 +		    offset -= df->nlines;
   98  		    break;
   99  		}
  100  
  101 @@ -7301,14 +7304,20 @@
  102  		    if (df->pos + df->nlines > orig_lines->nlines)
  103  			err = 1;
  104  		    else if (delvers)
  105 +		    {
  106  			for (ln = df->pos; ln < df->pos + df->nlines; ++ln)
  107 +			{
  108  			    if (orig_lines->vector[ln]->refcount > 1)
  109 +			    {
  110  				/* Annotate needs this but, since the original
  111  				 * vector is disposed of before returning from
  112  				 * this function, we only need keep track if
  113  				 * there are multiple references.
  114  				 */
  115  				orig_lines->vector[ln]->vers = delvers;
  116 +			    }
  117 +			}
  118 +		    }
  119  		    break;
  120  	    }
  121  	}
  122 @@ -7328,21 +7337,20 @@
  123      else
  124      {
  125  	/* add the rest of the remaining lines to the data vector */
  126 -	for (; lastmodline < numlines; lastmodline++)
  127 +	while (lines.nlines < numlines)
  128  	{
  129  	    /* we need to copy from the orig structure into new one */
  130 -	    lines.vector[lastmodline] = orig_lines->vector[lastmodline
  131 +	    lines.vector[lines.nlines] = orig_lines->vector[lines.nlines
  132  							   + offset];
  133 -	    lines.vector[lastmodline]->refcount++;
  134 +	    lines.vector[lines.nlines]->refcount++;
  135 +	    lines.nlines++;
  136  	}
  137  
  138  	/* Move the lines vector to the original structure for output,
  139  	 * first deleting the old.
  140  	 */
  141  	linevector_free (orig_lines);
  142 -	orig_lines->vector = lines.vector;
  143 -	orig_lines->lines_alloced = numlines;
  144 -	orig_lines->nlines = lines.nlines;
  145 +	*orig_lines = lines;
  146      }
  147  
  148      return !err;

Generated by cgit