summaryrefslogtreecommitdiffstats
path: root/patches/0004-libopkg-Fix-segfault-on-trailing-comma-in-deps.patch
blob: 825fe37f9a8aaeae7cfde77df1e99c5babfb048e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
From a4c13397c7ea899c0aaef10b089bac48dc655cd3 Mon Sep 17 00:00:00 2001
From: Patrick McDermott <patrick.mcdermott@libiquity.com>
Date: Sat, 6 Apr 2019 11:12:31 -0400
Subject: [PATCH 4/6] libopkg: Fix segfault on trailing comma in deps

A "Depends" or other package relationship field with a trailing comma
(followed by zero or more whitespace characters) in any package feed
list will cause opkg after commit 98ce8c2 ("pkg: convert most other
struct members into dynamic blob buffer fields") to segfault.

In the case of a trailing comma, parseDepends() has always been called
with a string containing only the whitespace (if any) following the
comma, and previously a copy loop extracted the dependency package name
as an empty string.  Now, strtok() returns NULL as the package name,
which is passed through ensure_abstract_pkg_by_name(),
abstract_pkg_fetch_by_name(), hash_table_get(), hash_index(), and
finally djb2_hash() which dereferences the NULL pointer.

Signed-off-by: Patrick McDermott <patrick.mcdermott@libiquity.com>
---
 libopkg/pkg_depends.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libopkg/pkg_depends.c b/libopkg/pkg_depends.c
index 3abdcd3..6d075f2 100644
--- a/libopkg/pkg_depends.c
+++ b/libopkg/pkg_depends.c
@@ -1025,6 +1025,8 @@ static int parseDepends(compound_depend_t * compound_depend, char *depend_str, e
 
 	for (i = 0, depend = strtok_r(depend_str, "|", &tok); depend; i++, depend = strtok_r(NULL, "|", &tok)) {
 		name = strtok(depend, " ");
+		if (!name)
+			break;
 		rest = strtok(NULL, "\n");
 
 		tmp = realloc(possibilities, sizeof(tmp) * (i + 1));
-- 
2.11.0