From ce6cd75dc367b92f65e4fb539dd166d0f3361f8c Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Wed, 31 Aug 2016 11:36:44 +0200 Subject: Fix segfault and out-of-bounds read in Binary fields If a Binary field contains one or more spaces before a comma, the code produced a segmentation fault, as it accidentally set a pointer to 0 instead of the value of the pointer. If the comma is at the beginning of the field, the code would create a binStartNext that points one element before the start of the string, which is undefined behavior. We also need to check that we do not exit the string during the replacement of spaces before commas: A string of the form " ," would normally exit the boundary of the Buffer: binStartNext = offset 1 ',' binEnd = offset 0 ' ' isspace_ascii(*binEnd) = true => --binEnd => binEnd = - 1 We get rid of the problem by only allowing spaces to be eliminated if they are not the first character of the buffer: binStartNext = offset 1 ',' binEnd = offset 0 ' ' binEnd > buffer = false, isspace_ascii(*binEnd) = true => exit loop => binEnd remains 0 --- apt-pkg/deb/debsrcrecords.cc | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'apt-pkg/deb/debsrcrecords.cc') diff --git a/apt-pkg/deb/debsrcrecords.cc b/apt-pkg/deb/debsrcrecords.cc index 5454d79c3..d296161d6 100644 --- a/apt-pkg/deb/debsrcrecords.cc +++ b/apt-pkg/deb/debsrcrecords.cc @@ -73,9 +73,12 @@ const char **debSrcRecordParser::Binaries() char* bin = Buffer; do { char* binStartNext = strchrnul(bin, ','); - char* binEnd = binStartNext - 1; - for (; isspace_ascii(*binEnd) != 0; --binEnd) - binEnd = 0; + // Found a comma, clean up any space before it + if (binStartNext > Buffer) { + char* binEnd = binStartNext - 1; + for (; binEnd > Buffer && isspace_ascii(*binEnd) != 0; --binEnd) + *binEnd = 0; + } StaticBinList.push_back(bin); if (*binStartNext != ',') break; -- cgit v1.2.3