jaiden
/
apk-tools
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

db: fix installed db writing with long names 

Packages containing files with path names longer than 1024 characters
cannot fit into the buffer which is used to write "installed" database.
This leads to bbuf being APK_BLOB_NULL in apk_db_write_fdb because
apk_blob_push_blob notices the condition and correctly handles it.

The problem occurs when arguments to apk_ostream_write are manually
calculated by pointer arithmetics. Since bbuf.ptr is NULL in such a
case, bbuf.ptr - buf leads to a huge size value while buf still points
into the stack.

fixes #10751

[TT: minor edit to commit and abbreviating the commit message]
cute-signatures
Samanta Navarro 2021-07-26 13:36:28 +03:00 committed by Timo Teräs
parent aca77e8410
commit d212aca070
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/database.c
View File

@ -928,7 +928,7 @@ static int apk_db_write_fdb(struct apk_database *db, struct apk_ostream *os)
struct apk_db_dir_instance *diri;
struct apk_db_file *file;
struct hlist_node *c1, *c2;
char buf[1024];
char buf[1024+PATH_MAX];
apk_blob_t bbuf = APK_BLOB_BUF(buf);
int r;
@ -972,6 +972,12 @@ static int apk_db_write_fdb(struct apk_database *db, struct apk_ostream *os)
if (diri->acl != apk_default_acl_dir)
apk_blob_push_db_acl(&bbuf, 'M', diri->acl);
bbuf = apk_blob_pushed(APK_BLOB_BUF(buf), bbuf);
if (APK_BLOB_IS_NULL(bbuf)) return -ENOBUFS;
r = apk_ostream_write(os, bbuf.ptr, bbuf.len);
if (r < 0) return r;
bbuf = APK_BLOB_BUF(buf);
hlist_for_each_entry(file, c2, &diri->owned_files, diri_files_list) {
apk_blob_push_blob(&bbuf, APK_BLOB_STR("R:"));
apk_blob_push_blob(&bbuf, APK_BLOB_PTR_LEN(file->name, file->namelen));
@ -986,13 +992,12 @@ static int apk_db_write_fdb(struct apk_database *db, struct apk_ostream *os)
apk_blob_push_blob(&bbuf, APK_BLOB_STR("\n"));
}
r = apk_ostream_write(os, buf, bbuf.ptr - buf);
bbuf = apk_blob_pushed(APK_BLOB_BUF(buf), bbuf);
if (APK_BLOB_IS_NULL(bbuf)) return -ENOBUFS;
r = apk_ostream_write(os, bbuf.ptr, bbuf.len);
if (r < 0) return r;
bbuf = APK_BLOB_BUF(buf);
}
r = apk_ostream_write(os, buf, bbuf.ptr - buf);
if (r < 0) return r;
bbuf = APK_BLOB_BUF(buf);
}
r = apk_ostream_write(os, "\n", 1);
if (r < 0) return r;