diff options
| author | Samanta Navarro <ferivoz@riseup.net> | 2021-07-26 13:36:28 +0300 |
|---|---|---|
| committer | Timo Teräs <timo.teras@iki.fi> | 2021-07-26 14:37:58 +0300 |
| commit | 41a6e4c247e68e906bea1ca7c31f0e8d3b49bc83 (patch) | |
| tree | 8966b8f614a754e3a1f3ed2eae6a756d3c9a3539 | |
| parent | 0eac0ed5f5575e4e115cc6a002b05e59d7f98f55 (diff) | |
| download | apk-tools-41a6e4c247e68e906bea1ca7c31f0e8d3b49bc83.tar.gz apk-tools-41a6e4c247e68e906bea1ca7c31f0e8d3b49bc83.tar.bz2 apk-tools-41a6e4c247e68e906bea1ca7c31f0e8d3b49bc83.tar.xz apk-tools-41a6e4c247e68e906bea1ca7c31f0e8d3b49bc83.zip | |
db: fix installed db writing with long names
Packages containing files with path names longer than 1024 characters
cannot fit into the buffer which is used to write "installed" database.
This leads to bbuf being APK_BLOB_NULL in apk_db_write_fdb because
apk_blob_push_blob notices the condition and correctly handles it.
The problem occurs when arguments to apk_ostream_write are manually
calculated by pointer arithmetics. Since bbuf.ptr is NULL in such a
case, bbuf.ptr - buf leads to a huge size value while buf still points
into the stack.
fixes #10751
[TT: minor edit to commit and abbreviating the commit message]
| -rw-r--r-- | src/database.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/src/database.c b/src/database.c index f4169ff..5f4e5e6 100644 --- a/src/database.c +++ b/src/database.c @@ -933,7 +933,7 @@ static int apk_db_write_fdb(struct apk_database *db, struct apk_ostream *os) struct apk_db_dir_instance *diri; struct apk_db_file *file; struct hlist_node *c1, *c2; - char buf[1024]; + char buf[1024+PATH_MAX]; apk_blob_t bbuf = APK_BLOB_BUF(buf); int r; @@ -976,6 +976,12 @@ static int apk_db_write_fdb(struct apk_database *db, struct apk_ostream *os) if (diri->acl != apk_default_acl_dir) apk_blob_push_db_acl(&bbuf, 'M', diri->acl); + bbuf = apk_blob_pushed(APK_BLOB_BUF(buf), bbuf); + if (APK_BLOB_IS_NULL(bbuf)) return -ENOBUFS; + r = apk_ostream_write(os, bbuf.ptr, bbuf.len); + if (r != bbuf.len) return r < 0 ? r : -ENOSPC; + bbuf = APK_BLOB_BUF(buf); + hlist_for_each_entry(file, c2, &diri->owned_files, diri_files_list) { apk_blob_push_blob(&bbuf, APK_BLOB_STR("R:")); apk_blob_push_blob(&bbuf, APK_BLOB_PTR_LEN(file->name, file->namelen)); @@ -990,13 +996,12 @@ static int apk_db_write_fdb(struct apk_database *db, struct apk_ostream *os) apk_blob_push_blob(&bbuf, APK_BLOB_STR("\n")); } - if (apk_ostream_write(os, buf, bbuf.ptr - buf) != bbuf.ptr - buf) - return -EIO; + bbuf = apk_blob_pushed(APK_BLOB_BUF(buf), bbuf); + if (APK_BLOB_IS_NULL(bbuf)) return -ENOBUFS; + r = apk_ostream_write(os, bbuf.ptr, bbuf.len); + if (r != bbuf.len) return r < 0 ? r : -ENOSPC; bbuf = APK_BLOB_BUF(buf); } - if (apk_ostream_write(os, buf, bbuf.ptr - buf) != bbuf.ptr - buf) - return -EIO; - bbuf = APK_BLOB_BUF(buf); } apk_ostream_write(os, "\n", 1); } |