From dc04193c482c32c3c8d650a17a3f750ee9e25097 Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Fri, 29 May 2020 19:35:42 +0200 Subject: [PATCH] libpkgconf: fragment: fix out of boundary read Parsing a fragment which consists only of a single dash leads to an out of boundary read. It duplicates the following entry which is not expected behaviour if another fragment follows. Proof of concept: $ cat > poc.pc << "EOF" Name: poc Description: poc Version: 1 Cflags: - -I/somewhere EOF $ PKG_CONFIG_PATH=. pkgconf --cflags poc -I/somewhere -I/somewhere If - is the last entry, it leads to an out of boundary read, which is easy to see if pkgconf is compiled with address sanitizer. --- libpkgconf/fragment.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libpkgconf/fragment.c b/libpkgconf/fragment.c index 1937f33..ed502dd 100644 --- a/libpkgconf/fragment.c +++ b/libpkgconf/fragment.c @@ -137,7 +137,7 @@ pkgconf_fragment_add(const pkgconf_client_t *client, pkgconf_list_t *list, const if (*string == '\0') return; - if (!pkgconf_fragment_is_special(string)) + if (strlen(string) > 1 && !pkgconf_fragment_is_special(string)) { frag = calloc(sizeof(pkgconf_fragment_t), 1);