On Sun, 26 May 2002, Petter Reinholdtsen wrote: > > Package: dpkg > Version: 1.9.21 > Severity: normal > Tags: patch > > The following patch fixes a off by one error in dpkg. It reads one > past the allocated buffer. > > I discovered it using valgrind, > <URL:http://developer.kde.org/~sewardj/>. > > --- lib/parsehelp.c.orig Sun May 26 19:24:23 2002 > +++ lib/parsehelp.c Sun May 26 19:22:34 2002 > @@ -214,7 +214,7 @@ > } else { > rversion->epoch= 0; > } > - rversion->version= nfstrnsave(string,end-string+1); > + rversion->version= nfstrnsave(string,end-string); > hyphen= strrchr(rversion->version,'-'); > if (hyphen) *hyphen++= 0; > rversion->revision= hyphen ? hyphen : "";
This is a problem, but this is not the proper fix. Let's say string == 0x5, and end = 0x6. This means we need to copy 2 chars(0x5 and 0x6, or 0x6 - 0x5 + 1). So, your buffer overrun does not occur in this code. However, if we look at nfstrnsave: == char *nfstrnsave(const char *string, int l) { char *ret; OBSTACK_INIT; ret = obstack_copy (&db_obs, string, l + 1); *(ret + l) = 0; return ret; } == You'll see that we add 1 to l, and this is where it occurs. We are attempting to allocate a new memory block, with the size l, plus one byte. The issue, is that the source buffer may not be l + 1 in length. The solution, is to use obstack_copy0, instead of obstack_copy, and not add 1 to l. I'm checking this fix into HEAD, for 1.10. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]