From db21779ec36d0415c37956325f5d1bcf4b89549f Mon Sep 17 00:00:00 2001 From: rbuj Date: Wed, 20 Feb 2019 03:24:33 +0100 Subject: Avoid array index out of bounds parsing dpkg-deb --info The first line of "dpkg-deb -I" output has only 5 words: old Debian package, version 0.939000. or new Debian package, version 2.0. Examples: $ wget http://archive.debian.org/debian/dists/Debian-0.93R6/binary/admin/acct-5-10.deb $ LANG=C dpkg-deb -I acct-5-10.deb old Debian package, version 0.939000. size 18338 bytes: control archive=1064, main archive=17260. 61 bytes, 3 lines conffiles 889 bytes, 20 lines control 570 bytes, 23 lines * postinst #!/bin/sh 107 bytes, 7 lines * postrm #!/bin/sh 212 bytes, 12 lines * preinst #!/bin/sh 212 bytes, 12 lines * prerm #!/bin/sh ... $ wget http://archive.debian.org/debian/dists/bo/main/binary-all/admin/alien_3.3.deb $ LANG=C dpkg-deb -I alien_3.3.deb new Debian package, version 2.0. size 20748 bytes: control archive=850 bytes. 394 bytes, 11 lines control 785 bytes, 13 lines md5sums --- src/fr-command-dpkg.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/fr-command-dpkg.c b/src/fr-command-dpkg.c index ab0df4b..184da01 100644 --- a/src/fr-command-dpkg.c +++ b/src/fr-command-dpkg.c @@ -51,7 +51,7 @@ process_metadata_line (char *line, g_return_if_fail (line != NULL); - fields = split_line (line, 6); + fields = split_line (line, 5); if (!fields[1] || !g_str_equal (fields[1], "bytes,")) { g_strfreev (fields); return; @@ -60,7 +60,9 @@ process_metadata_line (char *line, fdata = file_data_new (); fdata->size = g_ascii_strtoull (fields[0], NULL, 10); - if (fields[5] && g_str_equal (fields[4],"*")) { + if (g_str_equal (fields[4],"*")) { + g_strfreev (fields); + fields = split_line (line, 6); name = g_strdup (fields[5]); } else { name = g_strdup (get_last_field (line, 5)); -- cgit v1.2.1