Don't parse \x and \0 past the end in DeEscapeString

This has no attack surface though as the loop is to end very soon anyhow and the method only used while reading CD-ROM mountpoints which seems like a very unlikely attack vector…
author: David Kalnischkies <david@kalnischkies.de> 2020-12-03 10:44:27 +0100
committer: David Kalnischkies <david@kalnischkies.de> 2021-02-03 17:36:45 +0100
commit: ed192f410da36aedf5e54bb3f967e6613ab4bb51 (patch)
tree: 80478809e37250997e2c72d5686ac81c0b97260b /apt-pkg/contrib
parent: 10f13938bbf1474451fadcd62e1c31c4b5f5b3d7 (diff)
1 files changed, 8 insertions, 4 deletions
diff --git a/apt-pkg/contrib/strutl.cc b/apt-pkg/contrib/strutl.cc
index 826b21478..45e475b3e 100644
--- a/apt-pkg/contrib/strutl.cc
+++ b/apt-pkg/contrib/strutl.cc
@@ -1611,22 +1611,26 @@ string DeEscapeString(const string &input)
       switch (*it)
       {
          case '0':
-            if (it + 2 <= input.end()) {
+            if (it + 2 < input.end()) {
                tmp[0] = it[1];
                tmp[1] = it[2];
                tmp[2] = 0;
                output += (char)strtol(tmp, 0, 8);
                it += 2;
-            }
+            } else {
+	       // FIXME: raise exception here?
+	    }
             break;
          case 'x':
-            if (it + 2 <= input.end()) {
+            if (it + 2 < input.end()) {
                tmp[0] = it[1];
                tmp[1] = it[2];
                tmp[2] = 0;
                output += (char)strtol(tmp, 0, 16);
                it += 2;
-            }
+            } else {
+	       // FIXME: raise exception here?
+	    }
             break;
          default:
             // FIXME: raise exception here?
author	David Kalnischkies <david@kalnischkies.de>	2020-12-03 10:44:27 +0100
committer	David Kalnischkies <david@kalnischkies.de>	2021-02-03 17:36:45 +0100
commit	ed192f410da36aedf5e54bb3f967e6613ab4bb51 (patch)
tree	80478809e37250997e2c72d5686ac81c0b97260b /apt-pkg/contrib
parent	10f13938bbf1474451fadcd62e1c31c4b5f5b3d7 (diff)