Avoid incrementing a pointer past the end

The ‘end’ parameter to ‘strtaglen’ might point past the end of an allocation. Therefore, if ‘start’ becomes equal to ‘end’, exit the loop without calling ‘memchr’ on it.
rpm-software-management · Feb 16, 2021 · 70c3c87 · 70c3c87
1 parent c3e04c2
commit 70c3c87
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/lib/header.c b/lib/header.c
@@ -412,10 +412,14 @@ static inline int strtaglen(const char *str, rpm_count_t c, const char *end)
     const char *s;
 
     if (end) {
-	if (str >= end)
-	    return -1;
-	while ((s = memchr(start, '\0', end-start))) {
-	    if (--c == 0 || s > end)
+	/*
+	 * If this is the last tag data, `end` could point past the end of the
+	 * allocated buffer.  Passing a non-dereferencable pointer to `memchr`
+	 * is undefined behavior, so check that `start` is less than `end`
+	 * first.
+	 */
+	while (end > start && (s = memchr(start, '\0', end-start))) {
+	    if (--c == 0)
 		break;
 	    start = s + 1;
 	}