summaryrefslogtreecommitdiff
path: root/apt-pkg
diff options
context:
space:
mode:
authorJulian Andres Klode <jak@debian.org>2016-08-31 17:01:04 +0200
committerJulian Andres Klode <jak@debian.org>2016-08-31 17:39:06 +0200
commit923c592ceb6014b31ec751b97b3ed659fa3e88ae (patch)
tree844f89090a5e427ced68312c6dcf5004ee11979d /apt-pkg
parent832f95f4d018f18ff7b3d0381206f25b5a4373a6 (diff)
downloadapt-923c592ceb6014b31ec751b97b3ed659fa3e88ae.tar.gz
TagFile: Fix off-by-one errors in comment stripping
Adding 1 to the value of d->End - current makes restLength one byte too long: If we pass memchr(current, ..., restLength) has thus undefined behavior. Also, reading the value of current has undefined behavior if current >= d->End, not only for current > d->End: Consider a string of length 1, that is d->End = d->Current + 1. We can only read at d->Current + 0, but d->Current + 1 is beyond the end of the string. This probably caused several inexplicable build failures on hurd-i386 in the past, and just now caused a build failure on Ubuntu's amd64 builder. Reported-By: valgrind
Diffstat (limited to 'apt-pkg')
-rw-r--r--apt-pkg/tagfile.cc4
1 files changed, 2 insertions, 2 deletions
diff --git a/apt-pkg/tagfile.cc b/apt-pkg/tagfile.cc
index 3a3a3a04a..69148e08b 100644
--- a/apt-pkg/tagfile.cc
+++ b/apt-pkg/tagfile.cc
@@ -300,7 +300,7 @@ static void RemoveCommentsFromBuffer(pkgTagFilePrivate * const d)
std::vector<std::pair<char*, size_t>> good_parts;
while (current <= d->End)
{
- size_t const restLength = (d->End - current) + 1;
+ size_t const restLength = (d->End - current);
if (d->isCommentedLine == false)
{
current = static_cast<char*>(memchr(current, '#', restLength));
@@ -335,7 +335,7 @@ static void RemoveCommentsFromBuffer(pkgTagFilePrivate * const d)
}
++current;
// is the next line a comment, too?
- if (current > d->End || *current != '#')
+ if (current >= d->End || *current != '#')
{
d->chunks.emplace_back(false, (current - bad_start));
good_start = current;