aboutsummaryrefslogtreecommitdiff
path: root/contrib/subversion/subversion/libsvn_delta/svndiff.c
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/subversion/subversion/libsvn_delta/svndiff.c')
-rw-r--r--contrib/subversion/subversion/libsvn_delta/svndiff.c20
1 files changed, 14 insertions, 6 deletions
diff --git a/contrib/subversion/subversion/libsvn_delta/svndiff.c b/contrib/subversion/subversion/libsvn_delta/svndiff.c
index b9cb28515118..dadf252fef5f 100644
--- a/contrib/subversion/subversion/libsvn_delta/svndiff.c
+++ b/contrib/subversion/subversion/libsvn_delta/svndiff.c
@@ -830,23 +830,23 @@ write_handler(void *baton,
p = decode_file_offset(&sview_offset, p, end);
if (p == NULL)
- return SVN_NO_ERROR;
+ break;
p = decode_size(&sview_len, p, end);
if (p == NULL)
- return SVN_NO_ERROR;
+ break;
p = decode_size(&tview_len, p, end);
if (p == NULL)
- return SVN_NO_ERROR;
+ break;
p = decode_size(&inslen, p, end);
if (p == NULL)
- return SVN_NO_ERROR;
+ break;
p = decode_size(&newlen, p, end);
if (p == NULL)
- return SVN_NO_ERROR;
+ break;
if (tview_len > SVN_DELTA_WINDOW_SIZE ||
sview_len > SVN_DELTA_WINDOW_SIZE ||
@@ -904,7 +904,15 @@ write_handler(void *baton,
db->subpool = newpool;
}
- /* NOTREACHED */
+ /* At this point we processed all integral windows and DB->BUFFER is empty
+ or contains partially read window header.
+ Check that unprocessed data is not larger that theoretical maximum
+ window header size. */
+ if (db->buffer->len > 5 * MAX_ENCODED_INT_LEN)
+ return svn_error_create(SVN_ERR_SVNDIFF_CORRUPT_WINDOW, NULL,
+ _("Svndiff contains a too-large window header"));
+
+ return SVN_NO_ERROR;
}
/* Minimal svn_stream_t write handler, doing nothing */
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-22 16:21:03 +0000