Bug#92839: marked as done (dpkg: Integer overflow when comparing long versions)
Your message dated Sat, 24 Apr 2004 21:30:32 +0200
with message-id <874qr99ns7.fsf@yiwaz.raw.no>
and subject line Fixed, it seems
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 4 Apr 2001 00:41:12 +0000
>From aaronl@vitelus.com Tue Apr 03 19:41:12 2001
Return-path: <aaronl@vitelus.com>
Received: from vitelus.com [64.81.36.147]
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 14kbMG-000087-00; Tue, 03 Apr 2001 19:41:12 -0500
Received: from aaronl by vitelus.com with local (Exim 3.22 #1 (Debian))
id 14kbME-0002A6-00; Tue, 03 Apr 2001 17:41:10 -0700
Date: Tue, 3 Apr 2001 17:41:10 -0700
From: Aaron Lehmann <aaronl@vitelus.com>
To: Debian BTS Submissions <submit@bugs.debian.org>
Bcc: Misha Nasledov <misha@nasledov.com>
Subject: dpkg: Integer overflow when comparing long versions
Message-ID: <20010403174110.A8246@vitelus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.15i
Delivered-To: submit@bugs.debian.org
Package: dpkg
Version: 1.8.3.1
Tags: patch
When comparing a version number that won't fit into a native integer,
dpkg falls prey to integer overflow. Here's an example of it
happening:
$ dpkg --compare-versions 200101102349 lt 200103301546; echo $?
1
This isn't correct. But it can be avoided by comparing version strings
character by character. A nice advantage of that method is that there's
no need to distinguish between digits and other ASCII characters, making
the code shorter. My patched local copy returns the correct result:
$ ./dpkg --compare-versions 200101102349 lt 200103301546; echo $?
0
Just to make sure I didn't mess up, I fed it a few test vectors:
[aaronl@endquote:~/src/dpkg/main]$ ./dpkg --compare-versions 1 lt 4; echo $?
0
[aaronl@endquote:~/src/dpkg/main]$ dpkg --compare-versions 1 lt 4; echo $?
0
[aaronl@endquote:~/src/dpkg/main]$ ./dpkg --compare-versions 4444 eq 4444; echo $?
0
[aaronl@endquote:~/src/dpkg/main]$ dpkg --compare-versions 4444 eq 4444; echo $?
0
[aaronl@endquote:~/src/dpkg/main]$ ./dpkg --compare-versions "" eq 4444; echo $?
1
[aaronl@endquote:~/src/dpkg/main]$ dpkg --compare-versions "" eq 4444; echo $?
1
It looks OK. Please apply unless a problem is discovered.
Index: lib/vercmp.c
===================================================================
RCS file: /cvs/dpkg/dpkg/lib/vercmp.c,v
retrieving revision 1.4
diff -u -r1.4 vercmp.c
--- lib/vercmp.c 2000/12/20 08:47:49 1.4
+++ lib/vercmp.c 2001/04/04 00:22:42
@@ -33,32 +33,11 @@
}
static int verrevcmp(const char *val, const char *ref) {
- int vc, rc;
- long vl, rl;
- const char *vp, *rp;
-
- if (!val) val= "";
- if (!ref) ref= "";
- for (;;) {
- vp= val; while (*vp && !isdigit(*vp)) vp++;
- rp= ref; while (*rp && !isdigit(*rp)) rp++;
- for (;;) {
- vc= val == vp ? 0 : *val++;
- rc= ref == rp ? 0 : *ref++;
- if (!rc && !vc) break;
- if (vc && !isalpha(vc)) vc += 256; /* assumes ASCII character set */
- if (rc && !isalpha(rc)) rc += 256;
- if (vc != rc) return vc - rc;
- }
- val= vp;
- ref= rp;
- vl=0; if (isdigit(*vp)) vl= strtol(val,(char**)&val,10);
- rl=0; if (isdigit(*rp)) rl= strtol(ref,(char**)&ref,10);
- if (vl != rl) return vl - rl;
- if (!*val && !*ref) return 0;
- if (!*val) return -1;
- if (!*ref) return +1;
- }
+ while (*val && *ref)
+ if (*val++ != *ref++) return *(val-1)-*(ref-1);
+ if (*val) return 1;
+ if (*ref) return -1;
+ return 0;
}
int versioncompare(const struct versionrevision *version,
---------------------------------------
Received: (at 92839-done) by bugs.debian.org; 24 Apr 2004 19:30:38 +0000
>From tfheen@raw.no Sat Apr 24 12:30:38 2004
Return-path: <tfheen@raw.no>
Received: from vawad.samfundet.no (vawad.raw.no) [129.241.93.49]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BHSrG-0005Uq-00; Sat, 24 Apr 2004 12:30:38 -0700
Received: from 22.80-202-213.nextgentel.com ([80.202.213.22] helo=yiwaz.raw.no)
by vawad.raw.no with esmtp (TLS-1.0:DHE_RSA_3DES_EDE_CBC_SHA:24)
(Exim 4.32)
id 1BHSrB-0007EV-7x
for 92839-done@bugs.debian.org; Sat, 24 Apr 2004 21:30:36 +0200
Received: by yiwaz.raw.no (Postfix, from userid 1000)
id 8A39E5FA1F; Sat, 24 Apr 2004 21:30:32 +0200 (CEST)
To: 92839-done@bugs.debian.org
Subject: Fixed, it seems
Mail-Copies-To: never
From: Tollef Fog Heen <tfheen@raw.no>
Organization: Private
Date: Sat, 24 Apr 2004 21:30:32 +0200
Message-ID: <874qr99ns7.fsf@yiwaz.raw.no>
User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Delivered-To: 92839-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-2.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
X-CrossAssassin-Score: 1
This bug seems to have been fixed in dpkg, so closing this bug. The
original test case now, and I'm not able to reproduce it with bigger
numbers. Based on this, I'm closing this bug.
--
Tollef Fog Heen ,''`.
UNIX is user friendly, it's just picky about who its friends are : :' :
`. `'
`-
Reply to: