Re: Re: 'apt' irresponsible/old string methods

To: manuel.montezelo@gmail.com
Cc: deity@lists.debian.org
Subject: Re: Re: 'apt' irresponsible/old string methods
From: Joshua Rogers <megamansec@gmail.com>
Date: Sat, 15 Nov 2014 06:47:09 +1100
Message-id: <[🔎] 54665C3D.5080600@gmail.com>
In-reply-to: <[🔎] 20141114190209.GA4776@reva.itsari.org>
References: <[🔎] 20141114190209.GA4776@reva.itsari.org>

FWIW, we have this bug in aptitude about similar issues:

 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767533

Yes, I reported that one too.

As you mentioned in that report, it is good practice, for the future, and for future changes:

And in general, there's no need to risk this kind of overflows, which can be
propagated even by copy and paste or if the envolving string is modified to
e.g. " [ %sbytes/%sbytes ]".

In this report, the code is all there, but the only thing that is (probably) stopping the off-by-one overflow is the CPU(i.e does the CPU think that an unsigned int = an unsigned 64-bit int?)

Also, here's another bug in the same context..
apt-pkg/contrib/stul.cc

      if (Port != 0)
      {
         char S[30];
         sprintf(S,":%u",Port);
         Res += S;
      }

Why use S[30]? it should be 22(if you're doing this strange 64-bit max unsigned int thing for the port-number)..

Anyways, that's just my opinion! Always welcome to others' views. :)

Thanks,

--
-- Joshua Rogers <https://internot.info/>

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- Re: 'apt' irresponsible/old string methods
  - From: "Manuel A. Fernandez Montecelo" <manuel.montezelo@gmail.com>

Prev by Date: Re: 'apt' irresponsible/old string methods
Next by Date: Bug#769608: apt-cache pkgname overlooks some packages
Previous by thread: Re: 'apt' irresponsible/old string methods
Next by thread: Bug#769608: apt-cache pkgname overlooks some packages
Index(es):
- Date
- Thread