From 165330b7bf0757e30fa8a6de9998a564fb62796f Mon Sep 17 00:00:00 2001
From: "Demi M. Obenour" <demiobenour@gmail.com>
Date: Tue, 29 Dec 2020 22:59:36 -0500
Subject: [PATCH] Avoid incrementing a pointer past the end
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The ‘end’ parameter to ‘strtaglen’ might point past the end of an
allocation.  Therefore, if ‘start’ becomes equal to ‘end’, exit the loop
without calling ‘memchr’ on it.
---
 lib/header.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/lib/header.c b/lib/header.c
index c0a989691..98eda4138 100644
--- a/lib/header.c
+++ b/lib/header.c
@@ -412,10 +412,8 @@ static inline int strtaglen(const char *str, rpm_count_t c, const char *end)
     const char *s;
 
     if (end) {
-	if (str >= end)
-	    return -1;
-	while ((s = memchr(start, '\0', end-start))) {
-	    if (--c == 0 || s > end)
+	while (end > start && (s = memchr(start, '\0', end-start))) {
+	    if (--c == 0)
 		break;
 	    start = s + 1;
 	}
-- 
2.27.0