Bug#155842: Memory handling bugs
Package: apt
Version: 0.5.4
Severity: normal
Tags: patch
There are some bugs in the libapt-pkg code where uninitialized (or in
theory even unallocated) memory is read. Specifically:
- In apt-pkg/tagfile.cc:214 and 220, Stop[1] or Stop[0] might be read
even if Stop==End (since the comparisons are in wrong order)
- In apt-pkg/versionmatch.cc:106, RelVerStr.end()[-1] might be read even
if RelVerStr.length()==0.
Attached is the (trivial) fix I propose.
Sami
diff -ur apt-0.5.4/apt-pkg/tagfile.cc mod/apt-pkg/tagfile.cc
--- apt-0.5.4/apt-pkg/tagfile.cc 2001-05-14 08:56:26.000000000 +0300
+++ mod/apt-pkg/tagfile.cc 2002-08-07 23:36:24.000000000 +0300
@@ -211,13 +211,13 @@
if (Stop == 0)
return false;
- for (; Stop[1] == '\r' && Stop+1 < End; Stop++);
+ for (; Stop+1 < End && Stop[1] == '\r'; Stop++);
// Double newline marks the end of the record
if (Stop+1 < End && Stop[1] == '\n')
{
Indexes[TagCount] = Stop - Section;
- for (; (Stop[0] == '\n' || Stop[0] == '\r') && Stop < End; Stop++);
+ for (; Stop < End && (Stop[0] == '\n' || Stop[0] == '\r'); Stop++);
return true;
}
diff -ur apt-0.5.4/apt-pkg/versionmatch.cc mod/apt-pkg/versionmatch.cc
--- apt-0.5.4/apt-pkg/versionmatch.cc 2001-06-10 04:57:45.000000000 +0300
+++ mod/apt-pkg/versionmatch.cc 2002-08-07 23:50:38.000000000 +0300
@@ -103,7 +103,7 @@
RelComponent = Fragments[J]+2;
}
- if (RelVerStr.end()[-1] == '*')
+ if (RelVerStr.length() > 0 && RelVerStr.end()[-1] == '*')
{
RelVerPrefixMatch = true;
RelVerStr = string(RelVerStr.begin(),RelVerStr.end()-1);
Reply to: