Mercurial before version 4.6.1 is vulnerable to a buffer underflow in mpatch.c:mpatch_apply().
Created mercurial tracking bugs for this issue:
Affects: fedora-all [bug 1594088]
This is related to CVE-2018-13346: this issue is writing before the output buffer, where the other reads past the end of input. In mercurial 2.6.2, it is present in the apply() function.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2019:2276 https://access.redhat.com/errata/RHSA-2019:2276
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):