Public bug reported:
[Impact]
Out-of-bounds read in an array, causing segmentation fault
[Testcase]
On amd64:
python3-dbg -c 'import apt, apt_pkg; sr=apt_pkg.SourceRecords();
sr.lookup("dq"); print(sr.build_depends)'
crashes.
[Regression potential]
This is a simple off-by-one fix. There really should be no regressions, but if
there were, only for people using SourceRecords.build_depends - the list could
now be shorter (depending on memory).
diff --git a/python/pkgsrcrecords.cc b/python/pkgsrcrecords.cc
index 9ca21c5a..77b490cb 100644
--- a/python/pkgsrcrecords.cc
+++ b/python/pkgsrcrecords.cc
@@ -220,7 +220,7 @@ static PyObject *PkgSrcRecordsGetBuildDepends(PyObject
*Self,void*) {
bd[i].Version.c_str(), pkgCache::CompType(bd[i].Op));
PyList_Append(OrGroup, v);
Py_DECREF(v);
- if (pkgCache::Dep::Or != (bd[i].Op & pkgCache::Dep::Or) || i ==
bd.size())
+ if (pkgCache::Dep::Or != (bd[i].Op & pkgCache::Dep::Or) || i + 1 >=
bd.size())
break;
i++;
}
** Affects: python-apt (Ubuntu)
Importance: High
Status: In Progress
** Changed in: python-apt (Ubuntu)
Status: New => In Progress
** Changed in: python-apt (Ubuntu)
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1694702
Title:
off-by-one error when translating source records build depends
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1694702/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
