diff options
author | Julian Andres Klode <jak@debian.org> | 2016-08-31 11:36:44 +0200 |
---|---|---|
committer | Julian Andres Klode <jak@debian.org> | 2016-08-31 12:12:56 +0200 |
commit | ce6cd75dc367b92f65e4fb539dd166d0f3361f8c (patch) | |
tree | 7e0e708bf9862a8a0020d50dfb79a3dd8ecbf894 /apt-pkg/policy.h | |
parent | 317bb39f3cd6626c74f25d7bdf2907f1b235f553 (diff) |
Fix segfault and out-of-bounds read in Binary fields
If a Binary field contains one or more spaces before a comma, the
code produced a segmentation fault, as it accidentally set a pointer
to 0 instead of the value of the pointer.
If the comma is at the beginning of the field, the code would
create a binStartNext that points one element before the start
of the string, which is undefined behavior.
We also need to check that we do not exit the string during the
replacement of spaces before commas: A string of the form " ,"
would normally exit the boundary of the Buffer:
binStartNext = offset 1 ','
binEnd = offset 0 ' '
isspace_ascii(*binEnd) = true => --binEnd
=> binEnd = - 1
We get rid of the problem by only allowing spaces to be eliminated
if they are not the first character of the buffer:
binStartNext = offset 1 ','
binEnd = offset 0 ' '
binEnd > buffer = false, isspace_ascii(*binEnd) = true
=> exit loop
=> binEnd remains 0
Diffstat (limited to 'apt-pkg/policy.h')
0 files changed, 0 insertions, 0 deletions