From 4061d595920c52b3b1cbcdbfc1d041a7607c206b Mon Sep 17 00:00:00 2001
From: Julian Andres Klode <jak@debian.org>
Date: Wed, 31 Aug 2016 17:01:04 +0200
Subject: TagFile: Fix off-by-one errors in comment stripping

Adding 1 to the value of d->End - current makes restLength one byte
too long: If we pass memchr(current, ..., restLength) has thus
undefined behavior.

Also, reading the value of current has undefined behavior if
current >= d->End, not only for current > d->End:

Consider a string of length 1, that is d->End = d->Current + 1.
We can only read at d->Current + 0, but d->Current + 1 is beyond
the end of the string.

This probably caused several inexplicable build failures on hurd-i386
in the past, and just now caused a build failure on Ubuntu's amd64
builder.

Reported-By: valgrind
(cherry picked from commit 923c592ceb6014b31ec751b97b3ed659fa3e88ae)
---
 apt-pkg/tagfile.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apt-pkg/tagfile.cc b/apt-pkg/tagfile.cc
index 3a3a3a04a..69148e08b 100644
--- a/apt-pkg/tagfile.cc
+++ b/apt-pkg/tagfile.cc
@@ -300,7 +300,7 @@ static void RemoveCommentsFromBuffer(pkgTagFilePrivate * const d)
    std::vector<std::pair<char*, size_t>> good_parts;
    while (current <= d->End)
    {
-      size_t const restLength = (d->End - current) + 1;
+      size_t const restLength = (d->End - current);
       if (d->isCommentedLine == false)
       {
 	 current = static_cast<char*>(memchr(current, '#', restLength));
@@ -335,7 +335,7 @@ static void RemoveCommentsFromBuffer(pkgTagFilePrivate * const d)
 	 }
 	 ++current;
 	 // is the next line a comment, too?
-	 if (current > d->End || *current != '#')
+	 if (current >= d->End || *current != '#')
 	 {
 	    d->chunks.emplace_back(false, (current - bad_start));
 	    good_start = current;
-- 
cgit v1.2.3