From 2f34b45174906024fa87ee0d51d2e13d4770f465 Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Mon, 7 Mar 2016 01:32:08 +0100 Subject: apt-pkg/algorithms.cc: Avoid stack buffer overflow in KillList Dynamically allocate KillList in order to avoid an overflow when more than 100 elements would be written to it. This happened while playing around with the status file from Bug#701069 on a modern system. --- apt-pkg/algorithms.cc | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/apt-pkg/algorithms.cc b/apt-pkg/algorithms.cc index b83831053..4fbeefd4a 100644 --- a/apt-pkg/algorithms.cc +++ b/apt-pkg/algorithms.cc @@ -735,6 +735,7 @@ bool pkgProblemResolver::ResolveInternal(bool const BrokenFix) changing a breaks c) */ bool Change = true; bool const TryFixByInstall = _config->FindB("pkgProblemResolver::FixByInstall", true); + std::vector KillList; for (int Counter = 0; Counter != 10 && Change == true; Counter++) { Change = false; @@ -777,12 +778,12 @@ bool pkgProblemResolver::ResolveInternal(bool const BrokenFix) clog << "Investigating (" << Counter << ") " << I << endl; // Isolate the problem dependency - PackageKill KillList[100]; - PackageKill *LEnd = KillList; bool InOr = false; pkgCache::DepIterator Start; pkgCache::DepIterator End; - PackageKill *OldEnd = LEnd; + size_t OldSize = 0; + + KillList.resize(0); enum {OrRemove,OrKeep} OrOp = OrRemove; for (pkgCache::DepIterator D = Cache[I].InstVerIter(Cache).DependsList(); @@ -792,7 +793,7 @@ bool pkgProblemResolver::ResolveInternal(bool const BrokenFix) if (Start == End) { // Decide what to do - if (InOr == true && OldEnd == LEnd) + if (InOr == true && OldSize == KillList.size()) { if (OrOp == OrRemove) { @@ -826,7 +827,7 @@ bool pkgProblemResolver::ResolveInternal(bool const BrokenFix) continue; InOr = Start != End; - OldEnd = LEnd; + OldSize = KillList.size(); } else { @@ -989,10 +990,8 @@ bool pkgProblemResolver::ResolveInternal(bool const BrokenFix) if (Debug == true) clog << " Added " << Pkg.FullName(false) << " to the remove list" << endl; - - LEnd->Pkg = Pkg; - LEnd->Dep = End; - LEnd++; + + KillList.push_back({Pkg, End}); if (Start.IsNegative() == false) break; @@ -1042,7 +1041,7 @@ bool pkgProblemResolver::ResolveInternal(bool const BrokenFix) // Apply the kill list now if (Cache[I].InstallVer != 0) { - for (PackageKill *J = KillList; J != LEnd; J++) + for (auto J = KillList.begin(); J != KillList.end(); J++) { Change = true; if ((Cache[J->Dep] & pkgDepCache::DepGNow) == 0) -- cgit v1.2.3