off-by-one error when translating source records build depends

Bug #1694702 reported by Julian Andres Klode on 2017-05-31
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-apt (Ubuntu)
High
Unassigned
Xenial
Undecided
Unassigned

Bug Description

[Impact]
Out-of-bounds read in an array, causing segmentation fault

[Testcase]
On amd64:

python3-dbg -c 'import apt, apt_pkg; sr=apt_pkg.SourceRecords(); sr.lookup("dq"); print(sr.build_depends)'

crashes.

[Regression potential]
This is a simple off-by-one fix. There really should be no regressions, but if there were, only for people using SourceRecords.build_depends - the list could now be shorter (depending on memory).

diff --git a/python/pkgsrcrecords.cc b/python/pkgsrcrecords.cc
index 9ca21c5a..77b490cb 100644
--- a/python/pkgsrcrecords.cc
+++ b/python/pkgsrcrecords.cc
@@ -220,7 +220,7 @@ static PyObject *PkgSrcRecordsGetBuildDepends(PyObject *Self,void*) {
                        bd[i].Version.c_str(), pkgCache::CompType(bd[i].Op));
            PyList_Append(OrGroup, v);
            Py_DECREF(v);
- if (pkgCache::Dep::Or != (bd[i].Op & pkgCache::Dep::Or) || i == bd.size())
+ if (pkgCache::Dep::Or != (bd[i].Op & pkgCache::Dep::Or) || i + 1 >= bd.size())
               break;
         i++;
      }

Julian Andres Klode (juliank) wrote :

The underlying problem is caused by bug 1694697 actually, but this is still a bug on its own.

Changed in python-apt (Ubuntu):
status: New → In Progress
importance: Undecided → High
Julian Andres Klode (juliank) wrote :

This was fixed before 1.6, so only xenial and trusty affected at most.

Changed in python-apt (Ubuntu):
status: In Progress → Fix Released
Changed in python-apt (Ubuntu Xenial):
status: New → Triaged
Julian Andres Klode (juliank) wrote :

Can't reproduce the crash on xenial, though, so not entirely sure how to verify the bug yet.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers