[Reproducible-commits] [dpkg] 25/105: dpkg-query: Be more strict when parsing the COLUMNS environment variable

Niko Tyni ntyni at moszumanska.debian.org
Mon May 2 13:49:48 UTC 2016 

This is an automated email from the git hooks/post-receive script.

ntyni pushed a commit to branch ntyni/reproducible_builds
in repository dpkg.

commit 3d258742dfe5cd18e4e06a5fbd855b99bb95046e
Author: Guillem Jover <guillem at debian.org>
Date:   Tue Mar 1 02:30:59 2016 +0100

    dpkg-query: Be more strict when parsing the COLUMNS environment variable
    
    Use strtol() instead of atoi() which does not make it possible to check
    for many error conditions.
---
 debian/changelog |  1 +
 src/querycmd.c   | 11 ++++++++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index ec9b8b2..222a2e1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -49,6 +49,7 @@ dpkg (1.18.5) UNRELEASED; urgency=medium
   * Rewrite the trigger deferred file parser from flex to manual. The format
     is very simple, and a simple hand-written parser is smaller and avoids a
     build dependency.
+  * Be more strict when parsing the COLUMNS environment variable in dpkg-query.
   * Portability:
     - Move DPKG_ADMINDIR environment variable name out from update-alternatives
       code, to make life easier for non-dpkg-based systems.
diff --git a/src/querycmd.c b/src/querycmd.c
index 22d635c..2494f72 100644
--- a/src/querycmd.c
+++ b/src/querycmd.c
@@ -32,6 +32,8 @@
 #if HAVE_LOCALE_H
 #include <locale.h>
 #endif
+#include <errno.h>
+#include <limits.h>
 #include <string.h>
 #include <fcntl.h>
 #include <dirent.h>
@@ -63,14 +65,17 @@ static int opt_loadavail = 0;
 
 static int getwidth(void) {
   int fd;
-  int res;
+  long res;
   struct winsize ws;
   const char *columns;
+  char *endptr;
 
   columns = getenv("COLUMNS");
   if (columns) {
-    res = atoi(columns);
-    if (res > 0)
+    errno = 0;
+    res = strtol(columns, &endptr, 10);
+    if (errno != 0 && columns != endptr && *endptr == '\0' &&
+        res > 0 && res < INT_MAX)
       return res;
   }
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git

More information about the Reproducible-commits mailing list