Bug#155362: Some memory handling bugs
Package: dpkg
Version: 1.10.4
Severity: normal
Tags: patch
There are at least three cases where dpkg accesses memory just outside
what it has allocated, and one memory leak. I believe the attached patch
fixes these problems (hope it comes through as is, I've had problems
with that before).
Sami
diff -ur dpkg-1.10.4/lib/database.c mod/lib/database.c
--- dpkg-1.10.4/lib/database.c 2002-05-06 19:18:15.000000000 +0300
+++ mod/lib/database.c 2002-08-03 22:34:36.000000000 +0300
@@ -181,7 +181,7 @@
pointerp= bins + (hash(name) & (BINS-1));
while (*pointerp && strcasecmp((*pointerp)->name,name))
pointerp= &(*pointerp)->next;
- if (*pointerp) return *pointerp;
+ if (*pointerp) { free(name); return *pointerp; }
newpkg= nfmalloc(sizeof(struct pkginfo));
blankpackage(newpkg);
diff -ur dpkg-1.10.4/lib/parse.c mod/lib/parse.c
--- dpkg-1.10.4/lib/parse.c 2002-05-06 19:18:15.000000000 +0300
+++ mod/lib/parse.c 2002-08-04 02:58:13.000000000 +0300
@@ -172,6 +172,7 @@
for (;;) {
if (c == '\n' || c == MSDOS_EOF_CHAR) {
lno++;
+ if (EOF_mmap(dataptr, endptr)) break;
c= getc_mmap(dataptr);
/* Found double eol, or start of new field */
if (EOF_mmap(dataptr, endptr) || c == '\n' || !isspace(c)) break;
Only in mod/lib: parse.c~
diff -ur dpkg-1.10.4/lib/parsehelp.c mod/lib/parsehelp.c
--- dpkg-1.10.4/lib/parsehelp.c 2002-05-06 19:18:15.000000000 +0300
+++ mod/lib/parsehelp.c 2002-08-03 21:54:01.000000000 +0300
@@ -214,7 +214,7 @@
} else {
rversion->epoch= 0;
}
- rversion->version= nfstrnsave(string,end-string+1);
+ rversion->version= nfstrnsave(string,end-string);
hyphen= strrchr(rversion->version,'-');
if (hyphen) *hyphen++= 0;
rversion->revision= hyphen ? hyphen : "";
diff -ur dpkg-1.10.4/main/main.c mod/main/main.c
--- dpkg-1.10.4/main/main.c 2002-06-02 07:26:46.000000000 +0300
+++ mod/main/main.c 2002-08-03 21:31:24.000000000 +0300
@@ -433,7 +433,7 @@
int i, argc = 1;
const char *const *arg = argv;
while(*arg != 0) { arg++; argc++; }
- nargv= malloc(sizeof(char *) * argc + 2);
+ nargv= malloc(sizeof(char *) * (argc + 2));
if (!nargv) ohshite(_("couldn't malloc in execbackend"));
nargv[0]= strdup(cipaction->parg);
Reply to: