Avoid incrementing a pointer past the end

The ‘end’ parameter to ‘strtaglen’ might point past the end of an allocation. Therefore, if ‘start’ becomes equal to ‘end’, return an error without calling ‘memchr’ on that pointer.
rpm-software-management · Jan 15, 2021 · 24fa347 · 24fa347
1 parent 5ce2b5e
commit 24fa347
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/lib/header.c b/lib/header.c
@@ -394,10 +394,16 @@ static inline int strtaglen(const char *str, rpm_count_t c, const char *end)
     const char *s;
 
     if (end) {
-	if (str >= end)
+	if (start >= end)
 	    return -1;
-	while ((s = memchr(start, '\0', end-start))) {
-	    if (--c == 0 || s > end)
+	/*
+	 * If this is the last tag data, `end` could point past the end of the
+	 * allocated buffer.  Passing a non-dereferencable pointer to `memchr`
+	 * is undefined behavior, so check that `start` is less than `end`
+	 * first.
+	 */
+	while (end > start && (s = memchr(start, '\0', end-start))) {
+	    if (--c == 0)
 		break;
 	    start = s + 1;
 	}