The following commit has been merged in the master branch:
commit e759410b2e9eb1c48bb344d2ad17bfc420ddf57a
Author: Guillem Jover <[email protected]>
Date: Sun Jul 25 14:51:11 2010 +0200
libdpkg: Fix buffer overflow in path_quote_filename
When the string was longer than the size limit, the loop would continue
as the unsigned size would wrap around 0 to SIZE_MAX, and subsequently
segfault on the out-of-bounds access. Use ssize_t for the size variable.
Regression introduced in f35d66dbc228bc8ad2c5255dee1bf4ecf9ee6e06.
diff --git a/lib/dpkg/path.c b/lib/dpkg/path.c
index 0b384be..c4ee2ee 100644
--- a/lib/dpkg/path.c
+++ b/lib/dpkg/path.c
@@ -105,9 +105,10 @@ path_make_temp_template(const char *suffix)
* but here we escape all 8 bit chars, in order make it simple.
*/
char *
-path_quote_filename(char *dst, const char *src, size_t size)
+path_quote_filename(char *dst, const char *src, size_t n)
{
char *r = dst;
+ ssize_t size = (ssize_t)n;
while (size > 0) {
switch (*src) {
--
dpkg's main repository
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
