Don't parse \x and \0 past the end in DeEscapeString

This has no attack surface though as the loop is to end very soon anyhow
and the method only used while reading CD-ROM mountpoints which seems
like a very unlikely attack vector…

2 files changed, 14 insertions, 4 deletions

diff --git a/apt-pkg/contrib/strutl.cc b/apt-pkg/contrib/strutl.cc
index 826b21478..45e475b3e 100644
--- a/apt-pkg/contrib/strutl.cc
+++ b/apt-pkg/contrib/strutl.cc
@@ -1611,22 +1611,26 @@ string DeEscapeString(const string &input)
       switch (*it)
       {
          case '0':
-            if (it + 2 <= input.end()) {
+            if (it + 2 < input.end()) {
                tmp[0] = it[1];
                tmp[1] = it[2];
                tmp[2] = 0;
                output += (char)strtol(tmp, 0, 8);
                it += 2;
-            }
+            } else {
+	       // FIXME: raise exception here?
+	    }
             break;
          case 'x':
-            if (it + 2 <= input.end()) {
+            if (it + 2 < input.end()) {
                tmp[0] = it[1];
                tmp[1] = it[2];
                tmp[2] = 0;
                output += (char)strtol(tmp, 0, 16);
                it += 2;
-            }
+            } else {
+	       // FIXME: raise exception here?
+	    }
             break;
          default:
             // FIXME: raise exception here?
diff --git a/test/libapt/strutil_test.cc b/test/libapt/strutil_test.cc
index f101d72cf..d477e953c 100644
--- a/test/libapt/strutil_test.cc
+++ b/test/libapt/strutil_test.cc
@@ -21,6 +21,12 @@ TEST(StrUtilTest,DeEscapeString)
    // double slashes
    EXPECT_EQ("foo\\ x", DeEscapeString("foo\\\\ x"));
    EXPECT_EQ("\\foo\\", DeEscapeString("\\\\foo\\\\"));
+
+   // FIXME: the input is bad, the output as well, but we have no indicator for it
+   EXPECT_EQ("aa", DeEscapeString("aa\\x"));
+   EXPECT_EQ("aa0", DeEscapeString("aa\\x0"));
+   EXPECT_EQ("aa", DeEscapeString("aa\\0"));
+   EXPECT_EQ("aaa", DeEscapeString("aa\\0a"));
 }
 TEST(StrUtilTest,StringStrip)
 {