otherwise a buffer overflow occurs.
this has been a bug in pkgconf since the beginning, it seems.
instead of disclosing the bug correctly, a "hotshot" developer
decided to blog about it instead. sigh.
https://nullprogram.com/blog/2023/01/18/
This is the same issue which has been fixed in dependency code.
If a line contains a variable which is longer than PKGCONF_ITEM_SIZE,
then the varname buffer overflows.
The code itself still does not check if a closing } exists and
truncates variable names which are too long. Since these would
be functional changes and this commit is about a protection against
undefined behaviour on a language level, these changes are not
included.
Proof of concept:
$ echo "Description: poc" > poc.pc
$ echo "Version: 1" >> poc.pc
$ echo -n 'Name: ${'
$ dd if=/dev/zero bs=1 count=66535 | tr '\0' 'x' >> poc.pc
$ echo >> poc.pc
$ pkgconf poc.pc
On my Linux system, when compiled with gcc, the varname buffer overflows
directly into buf, which means that no crash can be notified.
It's easiest to figure out when adding strlen() and sizeof() output
as debug lines.
If a key is defined with no value, dequote will allocate a buffer with a
length of 0. Since the buffer's length is 0, any manipulation of its
content is UB.
Example .pc file:
prefix=/usr
exec_prefix=${prefix}
libdir=${exec_prefix}/lib
includedir=${prefix}/include
xcflags=
xlibs= -lSM -lICE -lX11
Name: Obt
Description: Openbox Toolkit Library
Version: 3.6
Requires: glib-2.0 libxml-2.0
Libs: -L${libdir} -lobt ${xlibs}
Cflags: -I${includedir}/openbox/3.6 ${xcflags}
Output using pkgconf 1.5.2 on x86_64 Linux/musl:
% pkgconf --cflags obt-3.5
-I/usr/include/openbox/3.6 \�\\�I\�\ -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/libxml2
This allows compatibility between legacy pkg-config's broken sysroot implementation and pkgconf's sysroot
implementation, by removing any prepended sysroot paths and preferencing the variable expansion sysroot path
we typically do instead.
Closes github #123.