The following commit has been merged in the master branch:
commit 10211292855ac5548ef4a56df7a9dd6d3081da41
Author: Guillem Jover <guil...@debian.org>
Date: Sun Jul 25 18:50:18 2010 +0200
libdpkg: Fix buffer size limit handling in path_quote_filename
Fix an off-by-one error on size limit NUL termination outside the loop,
and thus make sure then that size is always > 0 so that we don't write
outside the bounds. Check there's enough room when quoting '\\', and
terminate the string and return otherwise. Remove XXX comments now that
the code works fine.
diff --git a/lib/dpkg/path.c b/lib/dpkg/path.c
index 76e9833..01bac7a 100644
--- a/lib/dpkg/path.c
+++ b/lib/dpkg/path.c
@@ -110,12 +110,20 @@ path_quote_filename(char *dst, const char *src, size_t n)
char *r = dst;
ssize_t size = (ssize_t)n;
+ if (size == 0)
+ return r;
+
while (size > 0) {
switch (*src) {
case '\0':
*dst = '\0';
return r;
case '\\':
+ if (size <= 2) {
+ /* Buffer full. */
+ *dst = '\0';
+ return r;
+ }
*dst++ = '\\';
*dst++ = '\\';
src++;
@@ -134,13 +142,14 @@ path_quote_filename(char *dst, const char *src, size_t n)
src++;
} else {
/* Buffer full. */
- *dst = '\0'; /* XXX */
+ *dst = '\0';
return r;
}
}
}
}
- *dst = '\0'; /* XXX */
+ /* Buffer full. */
+ *(dst - 1) = '\0';
return r;
}
--
dpkg's main repository
--
To UNSUBSCRIBE, email to debian-dpkg-cvs-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
