off-by-one error when translating source records build depends
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| python-apt (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
| Xenial |
Triaged
|
Undecided
|
Unassigned | ||
Bug Description
[Impact]
Out-of-bounds read in an array, causing segmentation fault
[Testcase]
On amd64:
python3-dbg -c 'import apt, apt_pkg; sr=apt_
crashes.
[Regression potential]
This is a simple off-by-one fix. There really should be no regressions, but if there were, only for people using SourceRecords.
diff --git a/python/
index 9ca21c5a..77b490cb 100644
--- a/python/
+++ b/python/
@@ -220,7 +220,7 @@ static PyObject *PkgSrcRecordsG
- if (pkgCache::Dep::Or != (bd[i].Op & pkgCache::Dep::Or) || i == bd.size())
+ if (pkgCache::Dep::Or != (bd[i].Op & pkgCache::Dep::Or) || i + 1 >= bd.size())
i++;
}
| Julian Andres Klode (juliank) wrote | #1 |
| Changed in python-apt (Ubuntu): | |
| status: | New → In Progress |
| importance: | Undecided → High |
| Julian Andres Klode (juliank) wrote | #2 |
| Changed in python-apt (Ubuntu): | |
| status: | In Progress → Fix Released |
| Changed in python-apt (Ubuntu Xenial): | |
| status: | New → Triaged |
| Julian Andres Klode (juliank) wrote | #3 |
The underlying problem is caused by bug 1694697 actually, but this is still a bug on its own.