From a4c13397c7ea899c0aaef10b089bac48dc655cd3 Mon Sep 17 00:00:00 2001 From: Patrick McDermott Date: Sat, 6 Apr 2019 11:12:31 -0400 Subject: [PATCH 4/6] libopkg: Fix segfault on trailing comma in deps A "Depends" or other package relationship field with a trailing comma (followed by zero or more whitespace characters) in any package feed list will cause opkg after commit 98ce8c2 ("pkg: convert most other struct members into dynamic blob buffer fields") to segfault. In the case of a trailing comma, parseDepends() has always been called with a string containing only the whitespace (if any) following the comma, and previously a copy loop extracted the dependency package name as an empty string. Now, strtok() returns NULL as the package name, which is passed through ensure_abstract_pkg_by_name(), abstract_pkg_fetch_by_name(), hash_table_get(), hash_index(), and finally djb2_hash() which dereferences the NULL pointer. Signed-off-by: Patrick McDermott --- libopkg/pkg_depends.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libopkg/pkg_depends.c b/libopkg/pkg_depends.c index 3abdcd3..6d075f2 100644 --- a/libopkg/pkg_depends.c +++ b/libopkg/pkg_depends.c @@ -1025,6 +1025,8 @@ static int parseDepends(compound_depend_t * compound_depend, char *depend_str, e for (i = 0, depend = strtok_r(depend_str, "|", &tok); depend; i++, depend = strtok_r(NULL, "|", &tok)) { name = strtok(depend, " "); + if (!name) + break; rest = strtok(NULL, "\n"); tmp = realloc(possibilities, sizeof(tmp) * (i + 1)); -- 2.11.0