From c0bde1c1746f6f3d0e40794dda47fc7eb0eeeb0a Mon Sep 17 00:00:00 2001 From: vexalous Date: Sun, 26 Apr 2026 14:19:17 -0400 Subject: [PATCH 1/4] bin/xbps-create/main.c: handle malformed alternatives --- bin/xbps-create/main.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/bin/xbps-create/main.c b/bin/xbps-create/main.c index d5693fa0..5a8995b2 100644 --- a/bin/xbps-create/main.c +++ b/bin/xbps-create/main.c @@ -249,8 +249,13 @@ process_one_alternative(const char *altgrname, const char *val) if (a == NULL) die("xbps_array_create"); } - altfiles = strchr(val, ':') + 1; - assert(altfiles); + altfiles = strchr(val, ':'); + if (altfiles == NULL) { + fprintf(stderr, "%s: WARNING: ignoring malformed alternative: %s\n", _PROGNAME, val); + if (alloc) xbps_object_release(d); + return; + } + altfiles++; xbps_array_add_cstring(a, altfiles); xbps_dictionary_set(d, altgrname, a); From b44f72a67d221972b9ba1c952ef0c87033b24d75 Mon Sep 17 00:00:00 2001 From: vexalous Date: Sun, 26 Apr 2026 14:22:20 -0400 Subject: [PATCH 2/4] bin/xbps-create/main.c: fix buffer size in xbps_file_sha256 call --- bin/xbps-create/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/xbps-create/main.c b/bin/xbps-create/main.c index 5a8995b2..78317dd2 100644 --- a/bin/xbps-create/main.c +++ b/bin/xbps-create/main.c @@ -545,7 +545,7 @@ ftw_cb(const char *fpath, const struct stat *sb, const struct dirent *dir UNUSED xe->type = ENTRY_TYPE_FILES; } - if (!xbps_file_sha256(xe->sha256, sizeof sha256, fpath)) + if (!xbps_file_sha256(xe->sha256, sizeof xe->sha256, fpath)) die("failed to process hash for: %s", fpath); xbps_dictionary_set_cstring(fileinfo, "sha256", xe->sha256); From 3a310929072f1fbbcfa2e4b79de31867b32bcd32 Mon Sep 17 00:00:00 2001 From: vexalous Date: Sun, 26 Apr 2026 14:25:02 -0400 Subject: [PATCH 3/4] bin/xbps-pkgdb/check_pkg_alternatives.c: fix off-by-one buffer allocation --- bin/xbps-pkgdb/check_pkg_alternatives.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/xbps-pkgdb/check_pkg_alternatives.c b/bin/xbps-pkgdb/check_pkg_alternatives.c index 9a0d6efe..6fa4f474 100644 --- a/bin/xbps-pkgdb/check_pkg_alternatives.c +++ b/bin/xbps-pkgdb/check_pkg_alternatives.c @@ -85,7 +85,7 @@ relpath(char *from, char *to) for (up = -1, from--; from && *from; from = strchr(from + 1, '/'), up++); - rel = calloc(3 * up + strlen(p), sizeof(char)); + rel = calloc(3 * up + strlen(p) + 1, sizeof(char)); while (up--) strcat(rel, "../"); From fe172a84298adf1979d5fd239bb179ada72898ab Mon Sep 17 00:00:00 2001 From: vexalous Date: Sun, 26 Apr 2026 14:28:09 -0400 Subject: [PATCH 4/4] lib/package_alternatives.c: handle missing colon safely in string functions --- lib/package_alternatives.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/package_alternatives.c b/lib/package_alternatives.c index f5c7c2f2..7c5d7fc2 100644 --- a/lib/package_alternatives.c +++ b/lib/package_alternatives.c @@ -60,7 +60,8 @@ left(const char *str) static const char * right(const char *str) { - return strchr(str, ':') + 1; + const char *colon = strchr(str, ':'); + return colon ? colon + 1 : NULL; } static const char *