From df2d614900476920671779f27fcc4143d3c1b5b7 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Thu, 4 Jan 2018 22:57:21 +0100 Subject: dpkg status parsing: check if name is valid before use MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The summary line sounds a bit much: what we end up doing is just adding two more guards before using results which should always be valid™. That these values aren't valid is likely a bug in itself somewhere, but that is no reason for crashing. --- apt-pkg/deb/dpkgpm.cc | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) (limited to 'apt-pkg') diff --git a/apt-pkg/deb/dpkgpm.cc b/apt-pkg/deb/dpkgpm.cc index c6d0a50f1..c6900ec77 100644 --- a/apt-pkg/deb/dpkgpm.cc +++ b/apt-pkg/deb/dpkgpm.cc @@ -653,7 +653,13 @@ void pkgDPkgPM::ProcessDpkgStatusLine(char *line) // At this point we have a pkgname, but it might not be arch-qualified ! if (pkgname.find(":") == std::string::npos) { - pkgCache::GrpIterator Grp = Cache.FindGrp(pkgname); + pkgCache::GrpIterator const Grp = Cache.FindGrp(pkgname); + if (unlikely(Grp.end()== true)) + { + if (Debug == true) + std::clog << "unable to figure out which package is dpkg referring to with '" << pkgname << "'! (0)" << std::endl; + return; + } /* No arch means that dpkg believes there can only be one package this can refer to so lets see what could be candidates here: */ std::vector candset; @@ -729,7 +735,16 @@ void pkgDPkgPM::ProcessDpkgStatusLine(char *line) if (PackageOps[fullname].size() != PackageOpsDone[fullname]) pkgname = std::move(fullname); else - pkgname = std::find_if_not(candset.begin(), candset.end(), PkgHasCurrentVersion)->FullName(); + { + auto const pkgi = std::find_if_not(candset.begin(), candset.end(), PkgHasCurrentVersion); + if (unlikely(pkgi == candset.end())) + { + if (Debug == true) + std::clog << "situation for '" << pkgname << "' looked like a crossgrade, but all are installed?!" << std::endl; + return; + } + pkgname = pkgi->FullName(); + } } // we are desperate: so "just" take the native one, but that might change mid-air, // so we have to ask dpkg what it believes native is at the moment… all the time -- cgit v1.2.3