Bug#148221: dpkg: Small off by one error in parseversion()
On Sun, May 26, 2002 at 11:42:39PM -0500, Adam Heath wrote:
> > --- lib/parsehelp.c.orig Sun May 26 19:24:23 2002
> > +++ lib/parsehelp.c Sun May 26 19:22:34 2002
> > @@ -214,7 +214,7 @@
> > } else {
> > rversion->epoch= 0;
> > }
> > - rversion->version= nfstrnsave(string,end-string+1);
> > + rversion->version= nfstrnsave(string,end-string);
> > hyphen= strrchr(rversion->version,'-');
> > if (hyphen) *hyphen++= 0;
> > rversion->revision= hyphen ? hyphen : "";
> This is a problem, but this is not the proper fix.
> Let's say string == 0x5, and end = 0x6. This means we need to copy 2
> chars(0x5 and 0x6, or 0x6 - 0x5 + 1). So, your buffer overrun does not occur
> in this code.
Erm, while that's strictly correct, I don't think it's what's intended. If
you start with:
" 1.2.3 "
you end up with:
x12345678
" 1.2.3 "
^ ^
| |
| end
string
...in which case end - string is ((x+8) - (x+3)) = 5 which is the number
of characters you want to save -- no "+1" needed. The extra space or \0
or tab that end points to presumably isn't interesting, and could result
in incorrect behaviour if you compare "1.2.3-1 " against "1.2.3-1".
> The solution, is to use obstack_copy0, instead of obstack_copy, and not add 1
> to l.
In which case you still end up with "1.2.3 " instead of "1.2.3", which
still seems like a bug, although it won't cause a segfault anymore.
Cheers,
aj
--
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.
``BAM! Science triumphs again!''
-- http://www.angryflower.com/vegeta.gif
--
To UNSUBSCRIBE, email to debian-dpkg-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: