From b6e9756ca03ec887ef1d0bc8e38f63c29db7a365 Mon Sep 17 00:00:00 2001
From: Julian Andres Klode <jak@debian.org>
Date: Tue, 28 Jun 2016 10:24:11 +0200
Subject: Fix buffer overflow in debListParser::VersionHash()

If a package file is formatted in a way that that no space
follows a deprecated "<", we would reformat it to "<=" and
increase the length of the output by 1, which can break.

Under normal circumstances with "<=" this should not be an
issue.

Closes: #828812
---
 apt-pkg/deb/deblistparser.cc | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'apt-pkg/deb/deblistparser.cc')

diff --git a/apt-pkg/deb/deblistparser.cc b/apt-pkg/deb/deblistparser.cc
index ed5484ad9..e24ced271 100644
--- a/apt-pkg/deb/deblistparser.cc
+++ b/apt-pkg/deb/deblistparser.cc
@@ -357,8 +357,12 @@ unsigned short debListParser::VersionHash()
 	    continue;
 	 *J++ = tolower_ascii(*Start);
 
-	 if ((*Start == '<' || *Start == '>') && Start[1] != *Start && Start[1] != '=')
-	    *J++ = '=';
+	 /* Normalize <= to < and >= to >. This is the wrong way around, but
+	  * more efficient that the right way. And since we're only hashing
+	  * it does not matter which way we normalize. */
+	 if ((*Start == '<' || *Start == '>') && Start[1] == '=') {
+	    Start++;
+	 }
       }
 
       Result = AddCRC16(Result,S,J - S);
-- 
cgit v1.2.3