diff options
| author | Demi M. Obenour <demiobenour@gmail.com> | 2020-12-29 22:59:36 -0500 |
|---|---|---|
| committer | Panu Matilainen <pmatilai@redhat.com> | 2021-03-22 12:04:27 +0200 |
| commit | 62eee3f9f0399bcf3280c2816ec637b68f3fa72e (patch) | |
| tree | 1aa90a45d071c01f5cfa5fde27afd98867236c5d | |
| parent | ef928c4e8fc9e3e9949752623dc773362810716a (diff) | |
| download | rpm-62eee3f9f0399bcf3280c2816ec637b68f3fa72e.tar.gz | |
Avoid incrementing a pointer past the end
The ‘end’ parameter to ‘strtaglen’ might point past the end of an
allocation. Therefore, if ‘start’ becomes equal to ‘end’, exit the loop
without calling ‘memchr’ on it.
(cherry picked from commit 165330b7bf0757e30fa8a6de9998a564fb62796f)
| -rw-r--r-- | lib/header.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/lib/header.c b/lib/header.c index e423ad172..f6d2b0033 100644 --- a/lib/header.c +++ b/lib/header.c @@ -412,10 +412,8 @@ static inline int strtaglen(const char *str, rpm_count_t c, const char *end) const char *s; if (end) { - if (str >= end) - return -1; - while ((s = memchr(start, '\0', end-start))) { - if (--c == 0 || s > end) + while (end > start && (s = memchr(start, '\0', end-start))) { + if (--c == 0) break; start = s + 1; } |