diff options
author | Julian Andres Klode <jak@debian.org> | 2016-08-31 17:01:04 +0200 |
---|---|---|
committer | Julian Andres Klode <jak@debian.org> | 2016-08-31 17:39:06 +0200 |
commit | 923c592ceb6014b31ec751b97b3ed659fa3e88ae (patch) | |
tree | 844f89090a5e427ced68312c6dcf5004ee11979d /apt-pkg | |
parent | 832f95f4d018f18ff7b3d0381206f25b5a4373a6 (diff) | |
download | apt-923c592ceb6014b31ec751b97b3ed659fa3e88ae.tar.gz |
TagFile: Fix off-by-one errors in comment stripping
Adding 1 to the value of d->End - current makes restLength one byte
too long: If we pass memchr(current, ..., restLength) has thus
undefined behavior.
Also, reading the value of current has undefined behavior if
current >= d->End, not only for current > d->End:
Consider a string of length 1, that is d->End = d->Current + 1.
We can only read at d->Current + 0, but d->Current + 1 is beyond
the end of the string.
This probably caused several inexplicable build failures on hurd-i386
in the past, and just now caused a build failure on Ubuntu's amd64
builder.
Reported-By: valgrind
Diffstat (limited to 'apt-pkg')
-rw-r--r-- | apt-pkg/tagfile.cc | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/apt-pkg/tagfile.cc b/apt-pkg/tagfile.cc index 3a3a3a04a..69148e08b 100644 --- a/apt-pkg/tagfile.cc +++ b/apt-pkg/tagfile.cc @@ -300,7 +300,7 @@ static void RemoveCommentsFromBuffer(pkgTagFilePrivate * const d) std::vector<std::pair<char*, size_t>> good_parts; while (current <= d->End) { - size_t const restLength = (d->End - current) + 1; + size_t const restLength = (d->End - current); if (d->isCommentedLine == false) { current = static_cast<char*>(memchr(current, '#', restLength)); @@ -335,7 +335,7 @@ static void RemoveCommentsFromBuffer(pkgTagFilePrivate * const d) } ++current; // is the next line a comment, too? - if (current > d->End || *current != '#') + if (current >= d->End || *current != '#') { d->chunks.emplace_back(false, (current - bad_start)); good_start = current; |