Bug#228379: Debian bug #228379: dpkg corrupts filenames during remove
Sorry to mail you directly in addition to bugs.d.o, but I want to get
feedback from humans and there was no answer to my previous email.
I'm doing a spring cleanup on my machines and this bug is annoying me,
so I looked at the dpkg 1.10.18 sources and I came up with this.
Looking at main/remove.c (lines 339-343):
varbufreset(&fnvb);
varbufaddstr(&fnvb,instdir);
varbufaddstr(&fnvb,namenodetouse(namenode,pkg)->name);
if (!stat(fnvb.buf,&stab) && S_ISDIR(stab.st_mode)) {
varbufaddstr() is #defined in include/dpkg-db.h:
#define varbufaddstr(v, s) varbufaddbuf(v, s, strlen(s))
varbufaddbuf() is in lib/varbuf.c:
void varbufaddbuf(struct varbuf *v, const void *s, const int l) {
int ou;
ou= v->used;
v->used += l;
if (v->used >= v->size) varbufextend(v);
memcpy(v->buf + ou, s, l);
}
We're definitely missing the code to terminate the string here (unless
varbufextend() zeroed newly allocated space, but it doesn't).
Note that the C++ version of struct varbuf has a terminate() method that
does just what I think should be done.
--
Ciao,
Flavio Stanchina
Trento - Italy
Reply to: