[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#155362: Some memory handling bugs



Package: dpkg
Version: 1.10.4
Severity: normal
Tags: patch

There are at least three cases where dpkg accesses memory just outside
what it has allocated, and one memory leak. I believe the attached patch
fixes these problems (hope it comes through as is, I've had problems
with that before).

	Sami


diff -ur dpkg-1.10.4/lib/database.c mod/lib/database.c
--- dpkg-1.10.4/lib/database.c	2002-05-06 19:18:15.000000000 +0300
+++ mod/lib/database.c	2002-08-03 22:34:36.000000000 +0300
@@ -181,7 +181,7 @@
   pointerp= bins + (hash(name) & (BINS-1));
   while (*pointerp && strcasecmp((*pointerp)->name,name))
     pointerp= &(*pointerp)->next;
-  if (*pointerp) return *pointerp;
+  if (*pointerp) { free(name); return *pointerp; }

   newpkg= nfmalloc(sizeof(struct pkginfo));
   blankpackage(newpkg);
diff -ur dpkg-1.10.4/lib/parse.c mod/lib/parse.c
--- dpkg-1.10.4/lib/parse.c	2002-05-06 19:18:15.000000000 +0300
+++ mod/lib/parse.c	2002-08-04 02:58:13.000000000 +0300
@@ -172,6 +172,7 @@
       for (;;) {
         if (c == '\n' || c == MSDOS_EOF_CHAR) {
           lno++;
+          if (EOF_mmap(dataptr, endptr)) break;
           c= getc_mmap(dataptr);
 /* Found double eol, or start of new field */
           if (EOF_mmap(dataptr, endptr) || c == '\n' || !isspace(c)) break;
Only in mod/lib: parse.c~
diff -ur dpkg-1.10.4/lib/parsehelp.c mod/lib/parsehelp.c
--- dpkg-1.10.4/lib/parsehelp.c	2002-05-06 19:18:15.000000000 +0300
+++ mod/lib/parsehelp.c	2002-08-03 21:54:01.000000000 +0300
@@ -214,7 +214,7 @@
   } else {
     rversion->epoch= 0;
   }
-  rversion->version= nfstrnsave(string,end-string+1);
+  rversion->version= nfstrnsave(string,end-string);
   hyphen= strrchr(rversion->version,'-');
   if (hyphen) *hyphen++= 0;
   rversion->revision= hyphen ? hyphen : "";
diff -ur dpkg-1.10.4/main/main.c mod/main/main.c
--- dpkg-1.10.4/main/main.c	2002-06-02 07:26:46.000000000 +0300
+++ mod/main/main.c	2002-08-03 21:31:24.000000000 +0300
@@ -433,7 +433,7 @@
   int i, argc = 1;
   const char *const *arg = argv;
   while(*arg != 0) { arg++; argc++; }
-  nargv= malloc(sizeof(char *) * argc + 2);
+  nargv= malloc(sizeof(char *) * (argc + 2));

   if (!nargv) ohshite(_("couldn't malloc in execbackend"));
   nargv[0]= strdup(cipaction->parg);




Reply to: