rpm/backport-Fix-possible-read-beyond-buffer-in-rstrnlenhash.patch

From 747b7119ae89a3ccaceeae4f5570c7ab83d2cf5d Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Tue, 1 Sep 2020 13:14:35 +0300
Subject: [PATCH] Fix possible read beyond buffer in rstrnlenhash()

On strings that are not \0-terminated (which are a big reason for the
existence of this function), the while-loop would try to compare the
first character beyond the specified buffer for '\0' before realizing
we're already beyond the end when checking n. Should be mostly harmless
in practise as the check for n would still terminate it, but not right.
In particular this trips up address sanitizer with the bdb backend where
some of the returned strings are not \0-terminated.

Test for string length first, and move the decrementing side-effect into
the loop for better readability.
---
 rpmio/rpmstrpool.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rpmio/rpmstrpool.c b/rpmio/rpmstrpool.c
index 776ca6dea..0db0b5313 100644
--- a/rpmio/rpmstrpool.c
+++ b/rpmio/rpmstrpool.c
@@ -88,11 +88,12 @@ static inline unsigned int rstrnlenhash(const char * str, size_t n, size_t * len
     unsigned int hash = 0xe4721b68;
     const char * s = str;
 
-    while (*s != '\0' && n-- > 0) {
+    while (n > 0 && *s != '\0') {
       hash += *s;
       hash += (hash << 10);
       hash ^= (hash >> 6);
       s++;
+      n--;
     }
     hash += (hash << 3);
     hash ^= (hash >> 11);
-- 
2.27.0
backport patches from upstream 2021-01-11 11:10:36 +08:00			`From 747b7119ae89a3ccaceeae4f5570c7ab83d2cf5d Mon Sep 17 00:00:00 2001`
			`From: Panu Matilainen <pmatilai@redhat.com>`
			`Date: Tue, 1 Sep 2020 13:14:35 +0300`
			`Subject: [PATCH] Fix possible read beyond buffer in rstrnlenhash()`

			`On strings that are not \0-terminated (which are a big reason for the`
			`existence of this function), the while-loop would try to compare the`
			`first character beyond the specified buffer for '\0' before realizing`
			`we're already beyond the end when checking n. Should be mostly harmless`
			`in practise as the check for n would still terminate it, but not right.`
			`In particular this trips up address sanitizer with the bdb backend where`
			`some of the returned strings are not \0-terminated.`

			`Test for string length first, and move the decrementing side-effect into`
			`the loop for better readability.`
			`---`
			`rpmio/rpmstrpool.c \| 3 ++-`
			`1 file changed, 2 insertions(+), 1 deletion(-)`

			`diff --git a/rpmio/rpmstrpool.c b/rpmio/rpmstrpool.c`
			`index 776ca6dea..0db0b5313 100644`
			`--- a/rpmio/rpmstrpool.c`
			`+++ b/rpmio/rpmstrpool.c`
			`@@ -88,11 +88,12 @@ static inline unsigned int rstrnlenhash(const char * str, size_t n, size_t * len`
			`unsigned int hash = 0xe4721b68;`
			`const char * s = str;`

			`- while (*s != '\0' && n-- > 0) {`
			`+ while (n > 0 && *s != '\0') {`
			`hash += *s;`
			`hash += (hash << 10);`
			`hash ^= (hash >> 6);`
			`s++;`
			`+ n--;`
			`}`
			`hash += (hash << 3);`
			`hash ^= (hash >> 11);`
			`--`
			`2.27.0`