From e32ad92dc22f433ca3ef5059ca12c93cb9b59b21 Mon Sep 17 00:00:00 2001 From: Robert Ancell Date: Wed, 29 Aug 2018 16:13:16 +1200 Subject: [PATCH] Fix potential buffer underflow and inefficient copy using fnmatch. If length was zero we could check the -1 index. A nul was always added because we only used the length of the string, not the buffer (i.e. off by one). Also remove a check for a negative number from an unsigned number. --- libappstream-glib/as-app.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libappstream-glib/as-app.c b/libappstream-glib/as-app.c index 5604c5da..eb375606 100644 --- a/libappstream-glib/as-app.c +++ b/libappstream-glib/as-app.c @@ -6219,7 +6219,9 @@ as_app_parse_appdata_guess_project_group (AsApp *app) static int as_utils_fnmatch (const gchar *pattern, const gchar *text, gsize text_sz, gint flags) { - if (text_sz != -1 && text[text_sz-1] != '\0') { + if (text_sz == 0) + return FNM_NOMATCH; + if (text[text_sz-1] != '\0') { g_autofree gchar *text_with_nul = g_strndup (text, text_sz); return fnmatch (pattern, text_with_nul, flags); } @@ -6334,7 +6336,9 @@ as_app_parse_appdata_file (AsApp *app, filename, error_local->message); return FALSE; } - data = g_bytes_new_take (g_steal_pointer (&data_raw), len); + /* Note it is len + 1 - this is the contents of the file and the nul character + * that g_file_get_contents automatically appends */ + data = g_bytes_new_take (g_steal_pointer (&data_raw), len + 1); if (!as_app_parse_data (app, data, flags, &error_local)) { g_set_error (error, AS_APP_ERROR,