Public bug reported: [Impact] Out-of-bounds read in an array, causing segmentation fault
[Testcase] On amd64: python3-dbg -c 'import apt, apt_pkg; sr=apt_pkg.SourceRecords(); sr.lookup("dq"); print(sr.build_depends)' crashes. [Regression potential] This is a simple off-by-one fix. There really should be no regressions, but if there were, only for people using SourceRecords.build_depends - the list could now be shorter (depending on memory). diff --git a/python/pkgsrcrecords.cc b/python/pkgsrcrecords.cc index 9ca21c5a..77b490cb 100644 --- a/python/pkgsrcrecords.cc +++ b/python/pkgsrcrecords.cc @@ -220,7 +220,7 @@ static PyObject *PkgSrcRecordsGetBuildDepends(PyObject *Self,void*) { bd[i].Version.c_str(), pkgCache::CompType(bd[i].Op)); PyList_Append(OrGroup, v); Py_DECREF(v); - if (pkgCache::Dep::Or != (bd[i].Op & pkgCache::Dep::Or) || i == bd.size()) + if (pkgCache::Dep::Or != (bd[i].Op & pkgCache::Dep::Or) || i + 1 >= bd.size()) break; i++; } ** Affects: python-apt (Ubuntu) Importance: High Status: In Progress ** Changed in: python-apt (Ubuntu) Status: New => In Progress ** Changed in: python-apt (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1694702 Title: off-by-one error when translating source records build depends To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1694702/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs