36 lines
1.0 KiB
Diff
36 lines
1.0 KiB
Diff
|
From 165330b7bf0757e30fa8a6de9998a564fb62796f Mon Sep 17 00:00:00 2001
|
|||
|
|
From: "Demi M. Obenour" <demiobenour@gmail.com>
|
|||
|
|
Date: Tue, 29 Dec 2020 22:59:36 -0500
|
|||
|
|
Subject: [PATCH] Avoid incrementing a pointer past the end
|
|||
|
|
MIME-Version: 1.0
|
|||
|
|
Content-Type: text/plain; charset=UTF-8
|
|||
|
|
Content-Transfer-Encoding: 8bit
|
|||
|
|
|
|||
|
|
The ‘end’ parameter to ‘strtaglen’ might point past the end of an
|
|||
|
|
allocation. Therefore, if ‘start’ becomes equal to ‘end’, exit the loop
|
|||
|
|
without calling ‘memchr’ on it.
|
|||
|
|
---
|
|||
|
|
lib/header.c | 6 ++----
|
|||
|
|
1 file changed, 2 insertions(+), 4 deletions(-)
|
|||
|
|
|
|||
|
|
diff --git a/lib/header.c b/lib/header.c
|
|||
|
|
index c0a989691..98eda4138 100644
|
|||
|
|
--- a/lib/header.c
|
|||
|
|
+++ b/lib/header.c
|
|||
|
|
@@ -412,10 +412,8 @@ static inline int strtaglen(const char *str, rpm_count_t c, const char *end)
|
|||
|
|
const char *s;
|
|||
|
|
|
|||
|
|
if (end) {
|
|||
|
|
- if (str >= end)
|
|||
|
|
- return -1;
|
|||
|
|
- while ((s = memchr(start, '\0', end-start))) {
|
|||
|
|
- if (--c == 0 || s > end)
|
|||
|
|
+ while (end > start && (s = memchr(start, '\0', end-start))) {
|
|||
|
|
+ if (--c == 0)
|
|||
|
|
break;
|
|||
|
|
start = s + 1;
|
|||
|
|
}
|
|||
|
|
--
|
|||
|
|
2.27.0
|
|||
|
|
|