Mercurial before version 4.6.1 does not properly check the length of binary patch data. Upstream Changelog: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.6.1_.282018-06-06.29 Upstream Patches: https://www.mercurial-scm.org/repo/hg/rev/90a274965de7
Created mercurial tracking bugs for this issue: Affects: fedora-all [bug 1594084]
In earlier versions of mercurial (inc 2.6.2), the pointer was maintained at the end of the region that would be read, so overflow was not possible.