149 lines
4.4 KiB
Diff
149 lines
4.4 KiB
Diff
|
See http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3846 for more information.
|
||
|
Origin: http://cvs.savannah.gnu.org/viewvc/cvs/ccvs/src/rcs.c?r1=1.262.4.65&r2=1.262.4.66&sortby=rev&view=patch
|
||
|
--- rcs.c 2008/05/07 15:34:16 1.262.4.65
|
||
|
+++ rcs.c 2010/10/21 13:24:15 1.262.4.66
|
||
|
@@ -7128,7 +7128,7 @@
|
||
|
struct deltafrag *dfhead;
|
||
|
struct deltafrag **dftail;
|
||
|
struct deltafrag *df;
|
||
|
- unsigned long numlines, lastmodline, offset;
|
||
|
+ unsigned long numlines, offset;
|
||
|
struct linevector lines;
|
||
|
int err;
|
||
|
|
||
|
@@ -7202,12 +7202,12 @@
|
||
|
|
||
|
/* New temp data structure to hold new org before
|
||
|
copy back into original structure. */
|
||
|
- lines.nlines = lines.lines_alloced = numlines;
|
||
|
+ lines.lines_alloced = numlines;
|
||
|
lines.vector = xmalloc (numlines * sizeof *lines.vector);
|
||
|
|
||
|
/* We changed the list order to first to last -- so the
|
||
|
list never gets larger than the size numlines. */
|
||
|
- lastmodline = 0;
|
||
|
+ lines.nlines = 0;
|
||
|
|
||
|
/* offset created when adding/removing lines
|
||
|
between new and original structure */
|
||
|
@@ -7216,25 +7216,24 @@
|
||
|
for (df = dfhead; df != NULL; )
|
||
|
{
|
||
|
unsigned int ln;
|
||
|
- unsigned long deltaend;
|
||
|
+ unsigned long newpos = df->pos - offset;
|
||
|
|
||
|
- if (df->pos > orig_lines->nlines)
|
||
|
+ if (newpos < lines.nlines || newpos > numlines)
|
||
|
err = 1;
|
||
|
|
||
|
/* On error, just free the rest of the list. */
|
||
|
if (!err)
|
||
|
{
|
||
|
- /* Here we need to get to the line where the next insert will
|
||
|
+ /* Here we need to get to the line where the next change will
|
||
|
begin, which is DF->pos in ORIG_LINES. We will fill up to
|
||
|
DF->pos - OFFSET in LINES with original items. */
|
||
|
- for (deltaend = df->pos - offset;
|
||
|
- lastmodline < deltaend;
|
||
|
- lastmodline++)
|
||
|
+ while (lines.nlines < newpos)
|
||
|
{
|
||
|
/* we need to copy from the orig structure into new one */
|
||
|
- lines.vector[lastmodline] =
|
||
|
- orig_lines->vector[lastmodline + offset];
|
||
|
- lines.vector[lastmodline]->refcount++;
|
||
|
+ lines.vector[lines.nlines] =
|
||
|
+ orig_lines->vector[lines.nlines + offset];
|
||
|
+ lines.vector[lines.nlines]->refcount++;
|
||
|
+ lines.nlines++;
|
||
|
}
|
||
|
|
||
|
switch (df->type)
|
||
|
@@ -7246,7 +7245,12 @@
|
||
|
struct line *q;
|
||
|
int nextline_newline;
|
||
|
size_t nextline_len;
|
||
|
-
|
||
|
+
|
||
|
+ if (newpos + df->nlines > numlines)
|
||
|
+ {
|
||
|
+ err = 1;
|
||
|
+ break;
|
||
|
+ }
|
||
|
textend = df->new_lines + df->len;
|
||
|
nextline_newline = 0;
|
||
|
nextline_text = df->new_lines;
|
||
|
@@ -7271,8 +7275,7 @@
|
||
|
q->has_newline = nextline_newline;
|
||
|
q->refcount = 1;
|
||
|
memcpy (q->text, nextline_text, nextline_len);
|
||
|
- lines.vector[lastmodline++] = q;
|
||
|
- offset--;
|
||
|
+ lines.vector[lines.nlines++] = q;
|
||
|
|
||
|
nextline_text = (char *)p + 1;
|
||
|
nextline_newline = 0;
|
||
|
@@ -7286,11 +7289,11 @@
|
||
|
q->has_newline = nextline_newline;
|
||
|
q->refcount = 1;
|
||
|
memcpy (q->text, nextline_text, nextline_len);
|
||
|
- lines.vector[lastmodline++] = q;
|
||
|
+ lines.vector[lines.nlines++] = q;
|
||
|
|
||
|
/* For each line we add the offset between the #'s
|
||
|
decreases. */
|
||
|
- offset--;
|
||
|
+ offset -= df->nlines;
|
||
|
break;
|
||
|
}
|
||
|
|
||
|
@@ -7301,14 +7304,20 @@
|
||
|
if (df->pos + df->nlines > orig_lines->nlines)
|
||
|
err = 1;
|
||
|
else if (delvers)
|
||
|
+ {
|
||
|
for (ln = df->pos; ln < df->pos + df->nlines; ++ln)
|
||
|
+ {
|
||
|
if (orig_lines->vector[ln]->refcount > 1)
|
||
|
+ {
|
||
|
/* Annotate needs this but, since the original
|
||
|
* vector is disposed of before returning from
|
||
|
* this function, we only need keep track if
|
||
|
* there are multiple references.
|
||
|
*/
|
||
|
orig_lines->vector[ln]->vers = delvers;
|
||
|
+ }
|
||
|
+ }
|
||
|
+ }
|
||
|
break;
|
||
|
}
|
||
|
}
|
||
|
@@ -7328,21 +7337,20 @@
|
||
|
else
|
||
|
{
|
||
|
/* add the rest of the remaining lines to the data vector */
|
||
|
- for (; lastmodline < numlines; lastmodline++)
|
||
|
+ while (lines.nlines < numlines)
|
||
|
{
|
||
|
/* we need to copy from the orig structure into new one */
|
||
|
- lines.vector[lastmodline] = orig_lines->vector[lastmodline
|
||
|
+ lines.vector[lines.nlines] = orig_lines->vector[lines.nlines
|
||
|
+ offset];
|
||
|
- lines.vector[lastmodline]->refcount++;
|
||
|
+ lines.vector[lines.nlines]->refcount++;
|
||
|
+ lines.nlines++;
|
||
|
}
|
||
|
|
||
|
/* Move the lines vector to the original structure for output,
|
||
|
* first deleting the old.
|
||
|
*/
|
||
|
linevector_free (orig_lines);
|
||
|
- orig_lines->vector = lines.vector;
|
||
|
- orig_lines->lines_alloced = numlines;
|
||
|
- orig_lines->nlines = lines.nlines;
|
||
|
+ *orig_lines = lines;
|
||
|
}
|
||
|
|
||
|
return !err;
|