Merge branch 'maint-0.3.5'

changes/bug28202

@@ -0,0 +1,4 @@
+  o Minor bugfixes (C correctness):
+    - Avoid undefined behavior in an end-of-string check when parsing the
+      BEGIN line in a directory object.  Fixes bug 28202; bugfix on
+      0.2.0.3-alpha.

src/feature/dirparse/microdesc_parse.c

@@ -50,13 +50,13 @@ find_start_of_next_microdesc(const char *s, const char *eos)
     return NULL;
 
 #define CHECK_LENGTH() STMT_BEGIN \
-    if (s+32 > eos)               \
+    if (eos - s < 32)             \
       return NULL;                \
   STMT_END
 
 #define NEXT_LINE() STMT_BEGIN            \
     s = memchr(s, '\n', eos-s);           \
-    if (!s || s+1 >= eos)                 \
+    if (!s || eos - s <= 1)               \
       return NULL;                        \
     s++;                                  \
   STMT_END
@@ -80,7 +80,7 @@ find_start_of_next_microdesc(const char *s, const char *eos)
   /* Okay, now we're pointed at the first line of the microdescriptor which is
      not an annotation or onion-key.  The next line that _is_ an annotation or
      onion-key is the start of the next microdescriptor. */
-  while (s+32 < eos) {
+  while (eos - s > 32) {
     if (*s == '@' || !strcmpstart(s, "onion-key"))
       return s;
     NEXT_LINE();

src/feature/dirparse/parsecommon.c

@@ -353,7 +353,7 @@ get_next_token(memarea_t *area,
     goto check_object;
 
   obstart = *s; /* Set obstart to start of object spec */
-  if (*s+16 >= eol || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */
+  if (eol - *s <= 16 || memchr(*s+11,'\0',eol-*s-16) || /* no short lines, */
       strcmp_len(eol-5, "-----", 5) ||           /* nuls or invalid endings */
       (eol-*s) > MAX_UNPARSED_OBJECT_SIZE) {     /* name too long */
     RET_ERR("Malformed object: bad begin line");