From 55a444f826584a1d4e55fd470b4ad223d16af2e8 Mon Sep 17 00:00:00 2001
From: "Demi M. Obenour" <demiobenour@gmail.com>
Date: Tue, 29 Dec 2020 22:59:36 -0500
Subject: Avoid incrementing a pointer past the end
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The ‘end’ parameter to ‘strtaglen’ might point past the end of an
allocation.  Therefore, if ‘start’ becomes equal to ‘end’, exit the loop
without calling ‘memchr’ on it.

(cherry picked from commit 165330b7bf0757e30fa8a6de9998a564fb62796f)
---
 lib/header.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/lib/header.c b/lib/header.c
index dd5d569e6..82b90eda0 100644
--- a/lib/header.c
+++ b/lib/header.c
@@ -426,10 +426,8 @@ static inline int strtaglen(const char *str, rpm_count_t c, const char *end)
     const char *s;
 
     if (end) {
-	if (str >= end)
-	    return -1;
-	while ((s = memchr(start, '\0', end-start))) {
-	    if (--c == 0 || s > end)
+	while (end > start && (s = memchr(start, '\0', end-start))) {
+	    if (--c == 0)
 		break;
 	    start = s + 1;
 	}
-- 
cgit v1.2.1