summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--patches/0003-libopkg-Fix-segfault-on-trailing-comma-in-deps.patch39
1 files changed, 39 insertions, 0 deletions
diff --git a/patches/0003-libopkg-Fix-segfault-on-trailing-comma-in-deps.patch b/patches/0003-libopkg-Fix-segfault-on-trailing-comma-in-deps.patch
new file mode 100644
index 0000000..56181dd
--- /dev/null
+++ b/patches/0003-libopkg-Fix-segfault-on-trailing-comma-in-deps.patch
@@ -0,0 +1,39 @@
+From a47ab58d94a48bd86fbb0fc54caea651464beaea Mon Sep 17 00:00:00 2001
+From: Patrick McDermott <patrick.mcdermott@libiquity.com>
+Date: Sat, 6 Apr 2019 11:12:31 -0400
+Subject: [PATCH] libopkg: Fix segfault on trailing comma in deps
+
+A "Depends" or other package relationship field with a trailing comma
+(followed by zero or more whitespace characters) in any package feed
+list will cause opkg after commit 98ce8c2 ("pkg: convert most other
+struct members into dynamic blob buffer fields") to segfault.
+
+In the case of a trailing comma, parseDepends() has always been called
+with a string containing only the whitespace (if any) following the
+comma, and previously a copy loop extracted the dependency package name
+as an empty string. Now, strtok() returns NULL as the package name,
+which is passed through ensure_abstract_pkg_by_name(),
+abstract_pkg_fetch_by_name(), hash_table_get(), hash_index(), and
+finally djb2_hash() which dereferences the NULL pointer.
+
+Signed-off-by: Patrick McDermott <patrick.mcdermott@libiquity.com>
+---
+ libopkg/pkg_depends.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libopkg/pkg_depends.c b/libopkg/pkg_depends.c
+index 3abdcd3..6d075f2 100644
+--- a/libopkg/pkg_depends.c
++++ b/libopkg/pkg_depends.c
+@@ -1025,6 +1025,8 @@ static int parseDepends(compound_depend_t * compound_depend, char *depend_str, e
+
+ for (i = 0, depend = strtok_r(depend_str, "|", &tok); depend; i++, depend = strtok_r(NULL, "|", &tok)) {
+ name = strtok(depend, " ");
++ if (!name)
++ break;
+ rest = strtok(NULL, "\n");
+
+ tmp = realloc(possibilities, sizeof(tmp) * (i + 1));
+--
+2.11.0
+