diff options
| author | Panu Matilainen <pmatilai@redhat.com> | 2020-09-01 13:14:35 +0300 |
|---|---|---|
| committer | Hyunggi Lee <hyunggi.lee@samsung.com> | 2024-07-02 12:29:04 +0900 |
| commit | 02f5f3b6e44c1bd4fe585c82faf6aa3651defb66 (patch) | |
| tree | 204d45a74975690882206d0104db1947d0f1573d | |
| parent | 71c6c80f9dce836e6cbb5a32c4640fd3460d2f9a (diff) | |
| download | rpm-sandbox/hglee/asan.tar.gz rpm-sandbox/hglee/asan.tar.bz2 rpm-sandbox/hglee/asan.zip | |
Fix possible read beyond buffer in rstrnlenhash()sandbox/hglee/asan
On strings that are not \0-terminated (which are a big reason for the
existence of this function), the while-loop would try to compare the
first character beyond the specified buffer for '\0' before realizing
we're already beyond the end when checking n. Should be mostly harmless
in practise as the check for n would still terminate it, but not right.
In particular this trips up address sanitizer with the bdb backend where
some of the returned strings are not \0-terminated.
Test for string length first, and move the decrementing side-effect into
the loop for better readability.
| -rw-r--r-- | rpmio/rpmstrpool.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/rpmio/rpmstrpool.c b/rpmio/rpmstrpool.c index 30a57eb10..8be0db1d8 100644 --- a/rpmio/rpmstrpool.c +++ b/rpmio/rpmstrpool.c @@ -71,11 +71,12 @@ static inline unsigned int rstrnlenhash(const char * str, size_t n, size_t * len unsigned int hash = 0xe4721b68; const char * s = str; - while (*s != '\0' && n-- > 0) { + while (n > 0 && *s != '\0') { hash += *s; hash += (hash << 10); hash ^= (hash >> 6); s++; + n--; } hash += (hash << 3); hash ^= (hash >> 11); |