Mercurial > hg > pyhgsh
comparison mercurial/bdiff.c @ 827:a61728b58dc0
Fix array overflow bug in bdiff
I ran into a bug while importing a large repository into mercurial.
The diff algorithm does not allocate a big enough array of hunks
for some test cases. This results in memory corruption, and possibly,
as in my case, a seg fault.
You should be able to reproduce this problem with any case of more
than a few lines that follows this pattern:
a b
= =
1 1
2
2 3
4
3 5
.
4 .
.
5
.
.
.
I.e., "a" has blank lines on every other line that have been removed in
"b". In this case, the number of matching hunks is equal to the number
of lines in "b". This is more than ((an + bn)/4 + 2). I'm not sure what
motivates this formula, but when I changed it to the smaller of an or
bn (+ 1), it works.
[comment added by mpm]
| author | "Wallace, Eric S" <eric.s.wallace@intel.com> |
|---|---|
| date | Thu, 04 Aug 2005 13:25:59 -0800 |
| parents | e530637ea060 |
| children | 1fe3b14c7044 |
comparison
equal
deleted
inserted
replaced
| 826:16700cdd9055 | 827:a61728b58dc0 |
|---|---|
| 227 int t; | 227 int t; |
| 228 | 228 |
| 229 /* allocate and fill arrays */ | 229 /* allocate and fill arrays */ |
| 230 t = equatelines(a, an, b, bn); | 230 t = equatelines(a, an, b, bn); |
| 231 pos = calloc(bn, sizeof(struct pos)); | 231 pos = calloc(bn, sizeof(struct pos)); |
| 232 l.head = l.base = malloc(sizeof(struct hunk) * ((an + bn) / 4 + 2)); | 232 /* we can't have more matches than lines in the shorter file */ |
| 233 l.head = l.base = malloc(sizeof(struct hunk) * ((an<bn ? an:bn) + 1)); | |
| 233 | 234 |
| 234 if (pos && l.base && t) { | 235 if (pos && l.base && t) { |
| 235 /* generate the matching block list */ | 236 /* generate the matching block list */ |
| 236 recurse(a, b, pos, 0, an, 0, bn, &l); | 237 recurse(a, b, pos, 0, an, 0, bn, &l); |
| 237 l.head->a1 = an; | 238 l.head->a1 = an; |