TagFile: Fix off-by-one errors in comment stripping

Adding 1 to the value of d->End - current makes restLength one byte
too long: If we pass memchr(current, ..., restLength) has thus
undefined behavior.

Also, reading the value of current has undefined behavior if
current >= d->End, not only for current > d->End:

Consider a string of length 1, that is d->End = d->Current + 1.
We can only read at d->Current + 0, but d->Current + 1 is beyond
the end of the string.

This probably caused several inexplicable build failures on hurd-i386
in the past, and just now caused a build failure on Ubuntu's amd64
builder.

Reported-By: valgrind

diff --git a/apt-pkg/tagfile.cc b/apt-pkg/tagfile.cc
index 3a3a3a04a5895044cc27f793d461ba07bc790446..69148e08baff1435fd6cb6382ca4a09a51b9539d 100644 (file)
--- a/apt-pkg/tagfile.cc
+++ b/apt-pkg/tagfile.cc
@@ -300,7 +300,7 @@ static void RemoveCommentsFromBuffer(pkgTagFilePrivate * const d)
    std::vector<std::pair<char*, size_t>> good_parts;
    while (current <= d->End)
    {
-      size_t const restLength = (d->End - current) + 1;
+      size_t const restLength = (d->End - current);
       if (d->isCommentedLine == false)
       {
         current = static_cast<char*>(memchr(current, '#', restLength));
@@ -335,7 +335,7 @@ static void RemoveCommentsFromBuffer(pkgTagFilePrivate * const d)
         }
         ++current;
         // is the next line a comment, too?
-        if (current > d->End || *current != '#')
+        if (current >= d->End || *current != '#')
         {
            d->chunks.emplace_back(false, (current - bad_start));
            good_start = current;