From 36d6e1a578431853b744d2ecc44b04fff5f81a18 Mon Sep 17 00:00:00 2001 From: Michal Domonkos Date: Mon, 19 Jul 2021 16:38:22 +0200 Subject: [PATCH] Address important covscan issues Resolves: #1938846 --- popt-1.18-imp-covscan-fixes.patch | 64 +++++++++++++++++++++++++++++++ popt.spec | 8 +++- 2 files changed, 70 insertions(+), 2 deletions(-) create mode 100644 popt-1.18-imp-covscan-fixes.patch diff --git a/popt-1.18-imp-covscan-fixes.patch b/popt-1.18-imp-covscan-fixes.patch new file mode 100644 index 0000000..f3c15f9 --- /dev/null +++ b/popt-1.18-imp-covscan-fixes.patch @@ -0,0 +1,64 @@ +commit 7e60d11c1b046e54378cf79280f4a856741c8749 +Author: Tobias Stoeckmann +Date: Sat Aug 22 14:09:58 2020 +0200 + + Close iconv in case of allocation error + + If memory allocation in strdup_locale_from_utf8 fails after calling + iconv_open, the returned conversion descriptor is not closed. + +diff --git a/src/poptint.c b/src/poptint.c +index 0cec176..3a0919a 100644 +--- a/src/poptint.c ++++ b/src/poptint.c +@@ -91,8 +91,10 @@ strdup_locale_from_utf8 (char * istr) + size_t ob = db; + size_t err; + +- if (dstr == NULL) ++ if (dstr == NULL) { ++ (void) iconv_close(cd); + return NULL; ++ } + err = iconv(cd, NULL, NULL, NULL, NULL); + while (1) { + *pout = '\0'; +commit 70011cc5763dca9a9b57e9539b465e00c9769996 +Author: Michal Domonkos +Date: Mon Jul 19 14:41:03 2021 +0200 + + Fix potential mem leak in poptReadConfigFile() + + While it seems that the actual implementation of poptReadFile() + shouldn't allocate the passed buffer (b) if the number of bytes (nb) is + zero (see the read(2) call in that function), it's still up to the + caller to take care of this resource, so let's just do that by bailing + out via "exit" where the freeing happens. + + Also initialize t to NULL to avoid freeing an undefined pointer. + + Found by Coverity. + +diff --git a/src/poptconfig.c b/src/poptconfig.c +index 8623ba2..7c52315 100644 +--- a/src/poptconfig.c ++++ b/src/poptconfig.c +@@ -344,13 +344,15 @@ int poptReadConfigFile(poptContext con, const char * fn) + char * b = NULL, *be; + size_t nb = 0; + const char *se; +- char *t, *te; ++ char *t = NULL, *te; + int rc; + + if ((rc = poptReadFile(fn, &b, &nb, POPT_READFILE_TRIMNEWLINES)) != 0) + return (errno == ENOENT ? 0 : rc); +- if (b == NULL || nb == 0) +- return POPT_ERROR_BADCONFIG; ++ if (b == NULL || nb == 0) { ++ rc = POPT_ERROR_BADCONFIG; ++ goto exit; ++ } + + if ((t = malloc(nb + 1)) == NULL) + goto exit; diff --git a/popt.spec b/popt.spec index a512dc9..45a3b10 100644 --- a/popt.spec +++ b/popt.spec @@ -5,10 +5,11 @@ Summary: C library for parsing command line parameters Name: popt Version: %{ver}%{?snap:~%{snap}} -Release: 5%{?dist} +Release: 6%{?dist} License: MIT URL: https://github.com/rpm-software-management/popt/ Source0: http://ftp.rpm.org/popt/releases/popt-1.x/%{name}-%{srcver}.tar.gz +Patch0: popt-1.18-imp-covscan-fixes.patch BuildRequires: gcc BuildRequires: gettext BuildRequires: make @@ -43,7 +44,7 @@ Install it if you need to link statically with libpopt. %endif %prep -%autosetup -n %{name}-%{srcver} +%autosetup -n %{name}-%{srcver} -p1 %build %configure %{?_without_static:--disable-static} @@ -84,6 +85,9 @@ make check %endif %changelog +* Mon Jul 19 2021 Michal Domonkos - 1.18-6 +- Address important covscan issues (#1938846) + * Fri Apr 16 2021 Mohan Boddu - 1.18-5 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937