From: Julian Andres Klode <jak@debian.org>
Date: Tue, 28 Jun 2016 08:24:11 +0000 (+0200)
Subject: Fix buffer overflow in debListParser::VersionHash()
X-Git-Tag: 1.3_pre1~32
X-Git-Url: https://git.saurik.com/apt.git/commitdiff_plain/b6e9756ca03ec887ef1d0bc8e38f63c29db7a365

Fix buffer overflow in debListParser::VersionHash()

If a package file is formatted in a way that that no space
follows a deprecated "<", we would reformat it to "<=" and
increase the length of the output by 1, which can break.

Under normal circumstances with "<=" this should not be an
issue.

Closes: #828812
---

diff --git a/apt-pkg/deb/deblistparser.cc b/apt-pkg/deb/deblistparser.cc
index ed5484ad9..e24ced271 100644
--- a/apt-pkg/deb/deblistparser.cc
+++ b/apt-pkg/deb/deblistparser.cc
@@ -357,8 +357,12 @@ unsigned short debListParser::VersionHash()
 	    continue;
 	 *J++ = tolower_ascii(*Start);
 
-	 if ((*Start == '<' || *Start == '>') && Start[1] != *Start && Start[1] != '=')
-	    *J++ = '=';
+	 /* Normalize <= to < and >= to >. This is the wrong way around, but
+	  * more efficient that the right way. And since we're only hashing
+	  * it does not matter which way we normalize. */
+	 if ((*Start == '<' || *Start == '>') && Start[1] == '=') {
+	    Start++;
+	 }
       }
 
       Result = AddCRC16(Result,S,J - S);