Bug#538917: apt: integer overflow if the list section size is bigger than USHORT_MAX

Mon, 27 Jul 2009 15:37:54 -0700 

Package: apt
Version: 0.7.20.2
Severity: important
Tags: patch

*** Please type your report below this line ***

Header.MaxVerFileSize determines the buffer size used to parse the list files.
By default is 64k, but it is resized here

apt-pkg/pkgcachegen.cc:379

   VF->Size = List.Size();
   if (Cache.HeaderP->MaxVerFileSize < VF->Size)
      Cache.HeaderP->MaxVerFileSize = VF->Size;

Header.MaxVerFileSize is an unsigned long
ListParser.Size() returns unsigned long
but VerFileIterator->Size is an unsigned short !!!

This generates, if the ListParser.Size is bigger than USHORT_MAX, an integer
overflow, and the list parsing will fail, because the buffer won't contain the 
whole section. 

I think this is related to #275852

Here's the patch, for making the size unsigned long

diff --git a/apt-pkg/pkgcache.h b/apt-pkg/pkgcache.h
index 59d5003..14bec69 100644
--- a/apt-pkg/pkgcache.h
+++ b/apt-pkg/pkgcache.h
@@ -244,7 +244,7 @@ struct pkgCache::VerFile
    map_ptrloc File;           // PackageFile
    map_ptrloc NextFile;       // PkgVerFile
    map_ptrloc Offset;         // File offset
-   unsigned short Size;
+   unsigned long Size;
 };
 
 struct pkgCache::DescFile
@@ -252,7 +252,7 @@ struct pkgCache::DescFile
    map_ptrloc File;           // PackageFile
    map_ptrloc NextFile;       // PkgVerFile
    map_ptrloc Offset;         // File offset
-   unsigned short Size;
+   unsigned long Size;
 };
 
 struct pkgCache::Version


-- Package-specific info:

-- (/etc/apt/preferences present, but not submitted) --


-- (/etc/apt/sources.list present, but not submitted) --


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages apt depends on:
ii  debian-archive-keyring        2009.01.31 GnuPG archive keys of the Debian a
ii  libc6                         2.9-12     GNU C Library: Shared libraries
ii  libgcc1                       1:4.4.0-5  GCC support library
ii  libstdc++6                    4.4.0-5    The GNU Standard C++ Library v3

apt recommends no packages.

Versions of packages apt suggests:
pn  apt-doc                   <none>         (no description available)
ii  aptitude                  0.4.11.11-1+b1 terminal-based package manager
ii  bzip2                     1.0.5-2        high-quality block-sorting file co
ii  dpkg-dev                  1.15.2         Debian package development tools
ii  lzma                      4.43-14        Compression method of 7z format in
ii  python-apt                0.7.10.4       Python interface to libapt-pkg
ii  synaptic                  0.62.7         Graphical package manager

-- no debconf information

Attachment: signature.asc
Description: Digital signature

Reply via email to