diff options
| author | Demi M. Obenour <demiobenour@gmail.com> | 2020-12-29 22:59:36 -0500 |
|---|---|---|
| committer | Panu Matilainen <pmatilai@redhat.com> | 2021-03-22 12:12:12 +0200 |
| commit | 55a444f826584a1d4e55fd470b4ad223d16af2e8 (patch) | |
| tree | 7c1891ecdf620ddc66f7b0841824b1b44475b6e5 | |
| parent | 5c354742ec998bd32206a51df509979a3474945d (diff) | |
| download | rpm-55a444f826584a1d4e55fd470b4ad223d16af2e8.tar.gz | |
Avoid incrementing a pointer past the end
The ‘end’ parameter to ‘strtaglen’ might point past the end of an
allocation. Therefore, if ‘start’ becomes equal to ‘end’, exit the loop
without calling ‘memchr’ on it.
(cherry picked from commit 165330b7bf0757e30fa8a6de9998a564fb62796f)
| -rw-r--r-- | lib/header.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/lib/header.c b/lib/header.c index dd5d569e6..82b90eda0 100644 --- a/lib/header.c +++ b/lib/header.c @@ -426,10 +426,8 @@ static inline int strtaglen(const char *str, rpm_count_t c, const char *end) const char *s; if (end) { - if (str >= end) - return -1; - while ((s = memchr(start, '\0', end-start))) { - if (--c == 0 || s > end) + while (end > start && (s = memchr(start, '\0', end-start))) { + if (--c == 0) break; start = s + 1; } |