[devel] [PATCH for apt v2 03/21] Fix potential memory corruption in pkgCache::DepIterator::AllTargets()
Aleksei Nikiforov
darktemplar на altlinux.org
Чт Дек 12 12:57:12 MSK 2019
Use dynamic memory allocation instead of predefined buffer.
Found via cppcheck during investigation of:
(style) Condition 'Res!=0' is always true
---
apt/apt-pkg/pkgcache.cc | 45 ++++++++++++++++++++++++++---------------
1 file changed, 29 insertions(+), 16 deletions(-)
diff --git a/apt/apt-pkg/pkgcache.cc b/apt/apt-pkg/pkgcache.cc
index dfdba6b..afefe3b 100644
--- a/apt/apt-pkg/pkgcache.cc
+++ b/apt/apt-pkg/pkgcache.cc
@@ -388,8 +388,10 @@ bool pkgCache::DepIterator::SmartTargetPkg(PkgIterator &Result)
must be delete [] 'd */
pkgCache::Version **pkgCache::DepIterator::AllTargets()
{
- Version *Res[1024];
- unsigned int Size = 0;
+ Version **Res = nullptr;
+ size_t Size = 0;
+
+ while (true)
{
PkgIterator DPkg = TargetPkg();
@@ -405,9 +407,9 @@ pkgCache::Version **pkgCache::DepIterator::AllTargets()
continue;
Version *v = I;
- if (Res != 0 && Size > 0) {
+ if (Res != nullptr && Size > 0) {
bool seen = false;
- for (unsigned int j = 0; j < Size; ++j) {
+ for (size_t j = 0; j < Size; ++j) {
Version *vj = Res[j];
if (v == vj) {
seen = true;
@@ -418,8 +420,10 @@ pkgCache::Version **pkgCache::DepIterator::AllTargets()
continue;
}
- assert(Size < sizeof(Res)/sizeof(*Res));
- Res[Size++] = v;
+ if (Res != nullptr) {
+ Res[Size] = v;
+ }
+ Size++;
}
// Follow all provides
@@ -434,9 +438,9 @@ pkgCache::Version **pkgCache::DepIterator::AllTargets()
continue;
Version *v = I.OwnerVer();
- if (Res != 0 && Size > 0) {
+ if (Res != nullptr && Size > 0) {
bool seen = false;
- for (unsigned int j = 0; j < Size; ++j) {
+ for (size_t j = 0; j < Size; ++j) {
Version *vj = Res[j];
if (v == vj) {
seen = true;
@@ -447,16 +451,25 @@ pkgCache::Version **pkgCache::DepIterator::AllTargets()
continue;
}
- assert(Size < sizeof(Res)/sizeof(*Res));
- Res[Size++] = v;
+ if (Res != nullptr) {
+ Res[Size] = v;
+ }
+ Size++;
+ }
+
+ if (Res == 0)
+ {
+ Res = new Version *[Size+1];
+ Size = 0;
+ }
+ else
+ {
+ Res[Size] = nullptr;
+ break;
}
}
-
- Version **Ret = new Version *[Size+1];
- if (Size)
- memcpy(Ret, Res, Size*sizeof(*Res));
- Ret[Size] = 0;
- return Ret;
+
+ return Res;
}
/*}}}*/
// DepIterator::GlobOr - Compute an OR group /*{{{*/
--
2.24.1
Подробная информация о списке рассылки Devel