From 942be407ee8b6ca1089ed9c2f135ca4ed89c44fc Mon Sep 17 00:00:00 2001
From: Julian Andres Klode <julian.klode@canonical.com>
Date: Thu, 20 Feb 2020 13:25:10 +0100
Subject: tagfile: Check if memchr() returned null before using

This fixes a segmentation fault trying to read from nullptr+1,
aka address 1.
---
 apt-pkg/tagfile.cc | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'apt-pkg')

diff --git a/apt-pkg/tagfile.cc b/apt-pkg/tagfile.cc
index bbece1d7e..b86936353 100644
--- a/apt-pkg/tagfile.cc
+++ b/apt-pkg/tagfile.cc
@@ -714,8 +714,13 @@ StringView pkgTagSection::Find(Key key) const
 StringView pkgTagSection::FindRawInternal(unsigned int Pos) const
 {
    char const *Start = (char const *) memchr(Section + d->Tags[Pos].EndTag, ':', d->Tags[Pos].StartValue - d->Tags[Pos].EndTag);
-   ++Start;
    char const *End = Section + d->Tags[Pos + 1].StartTag;
+
+   if (Start == nullptr)
+      return "";
+
+   ++Start;
+
    if (unlikely(Start > End))
       return "";
 
-- 
cgit v1.2.3-70-g09d2


From 5bdb1892514c641fb0ebcc3103e6f503cdd4b04b Mon Sep 17 00:00:00 2001
From: Julian Andres Klode <julian.klode@canonical.com>
Date: Thu, 20 Feb 2020 13:34:37 +0100
Subject: tagfile: Check out-of-bounds access to Tags vector

Check that the index we're going to use is within the size
of the array.
---
 apt-pkg/tagfile.cc | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'apt-pkg')

diff --git a/apt-pkg/tagfile.cc b/apt-pkg/tagfile.cc
index b86936353..0f0d8c9a7 100644
--- a/apt-pkg/tagfile.cc
+++ b/apt-pkg/tagfile.cc
@@ -669,6 +669,9 @@ bool pkgTagSection::Find(StringView TagView,unsigned int &Pos) const
 bool pkgTagSection::FindInternal(unsigned int Pos, const char *&Start,
 		         const char *&End) const
 {
+   if (unlikely(Pos + 1 >= d->Tags.size() || Pos >= d->Tags.size()))
+      return _error->Error("Internal parsing error");
+
    Start = Section + d->Tags[Pos].StartValue;
    // Strip off the gunk from the end
    End = Section + d->Tags[Pos + 1].StartTag;
@@ -713,6 +716,9 @@ StringView pkgTagSection::Find(Key key) const
 // TagSection::FindRawS - Find a string					/*{{{*/
 StringView pkgTagSection::FindRawInternal(unsigned int Pos) const
 {
+   if (unlikely(Pos + 1 >= d->Tags.size() || Pos >= d->Tags.size()))
+      return _error->Error("Internal parsing error"), "";
+
    char const *Start = (char const *) memchr(Section + d->Tags[Pos].EndTag, ':', d->Tags[Pos].StartValue - d->Tags[Pos].EndTag);
    char const *End = Section + d->Tags[Pos + 1].StartTag;
 
@@ -928,6 +934,8 @@ bool pkgTagSection::FindFlag(unsigned long &Flags, unsigned long Flag,
 									/*}}}*/
 void pkgTagSection::Get(const char *&Start,const char *&Stop,unsigned int I) const/*{{{*/
 {
+   if (unlikely(I + 1 >= d->Tags.size() || I >= d->Tags.size()))
+      abort();
    Start = Section + d->Tags[I].StartTag;
    Stop = Section + d->Tags[I+1].StartTag;
 }
-- 
cgit v1.2.3-70-g09d2