From 62eee3f9f0399bcf3280c2816ec637b68f3fa72e Mon Sep 17 00:00:00 2001
From: "Demi M. Obenour" <demiobenour@gmail.com>
Date: Tue, 29 Dec 2020 22:59:36 -0500
Subject: Avoid incrementing a pointer past the end
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The ‘end’ parameter to ‘strtaglen’ might point past the end of an
allocation.  Therefore, if ‘start’ becomes equal to ‘end’, exit the loop
without calling ‘memchr’ on it.

(cherry picked from commit 165330b7bf0757e30fa8a6de9998a564fb62796f)
---
 lib/header.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/lib/header.c b/lib/header.c
index e423ad172..f6d2b0033 100644
--- a/lib/header.c
+++ b/lib/header.c
@@ -412,10 +412,8 @@ static inline int strtaglen(const char *str, rpm_count_t c, const char *end)
     const char *s;
 
     if (end) {
-	if (str >= end)
-	    return -1;
-	while ((s = memchr(start, '\0', end-start))) {
-	    if (--c == 0 || s > end)
+	while (end > start && (s = memchr(start, '\0', end-start))) {
+	    if (--c == 0)
 		break;
 	    start = s + 1;
 	}
-- 
cgit v1.2.1