- Fix sigsegv in stringFormat()

- Resolves: #1316903 - Fix reading rpmtd behind its size in formatValue() - Resolves: #1316896
2016-04-25 15:17:59 +02:00 · 2016-04-25 15:17:59 +02:00 · 177601750a
commit 177601750a
parent 9f6c27f43a
3 changed files with 67 additions and 1 deletions
--- a/rpm-4.13.0-rpmtd-out-of-bounds.patch
+++ b/rpm-4.13.0-rpmtd-out-of-bounds.patch
@ -0,0 +1,27 @@
+From b722cf86200505b3e3fcbb2095c4ff61f1f5a2ab Mon Sep 17 00:00:00 2001
+From: Lubos Kardos <lkardos@redhat.com>
+Date: Mon, 25 Apr 2016 13:31:08 +0200
+Subject: [PATCH 1/2] Fix reading rpmtd behind its size in formatValue()
+ (rhbz:1316896)
+
+When it is read from index higher than size of rpmtd, return "(none)".
+---
+ lib/headerfmt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/headerfmt.c b/lib/headerfmt.c
+index fb29d6f..f6fd707 100644
+--- a/lib/headerfmt.c
+++ b/lib/headerfmt.c
+@@ -623,7 +623,7 @@ static char * formatValue(headerSprintfArgs hsa, sprintfTag tag, int element)
+     char * t, * te;
+     rpmtd td;
+ 
+-    if ((td = getData(hsa, tag->tag))) {
+    if ((td = getData(hsa, tag->tag)) && td->count > element) {
+ 	td->ix = element; /* Ick, use iterators instead */
+ 	val = tag->fmt(td);
+     } else {
+-- 
+1.9.3
+
--- a/rpm-4.13.0-stringFormat-sigsegv.patch
+++ b/rpm-4.13.0-stringFormat-sigsegv.patch
@ -0,0 +1,33 @@
+From cddf43a56f19711866371f02f378dc4095b0fadd Mon Sep 17 00:00:00 2001
+From: Lubos Kardos <lkardos@redhat.com>
+Date: Mon, 25 Apr 2016 14:38:47 +0200
+Subject: [PATCH 2/2] Fix sigsegv in stringFormat() (rhbz:1316903)
+
+Just skip duping of NULL and return it. Returned NULL is handled in
+upper layer.
+---
+ lib/formats.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/lib/formats.c b/lib/formats.c
+index e3626ed..bad0b2d 100644
+--- a/lib/formats.c
+++ b/lib/formats.c
+@@ -44,9 +44,12 @@ static char * stringFormat(rpmtd td)
+ 	case RPM_NUMERIC_CLASS:
+ 	    rasprintf(&val, "%" PRIu64, rpmtdGetNumber(td));
+ 	    break;
+-	case RPM_STRING_CLASS:
+-	    val = xstrdup(rpmtdGetString(td));
+	case RPM_STRING_CLASS: {
+	    const char *str = rpmtdGetString(td);
+	    if (str)
+		val = xstrdup(str);
+ 	    break;
+	}
+ 	case RPM_BINARY_CLASS:
+ 	    val = pgpHexStr(td->data, td->count);
+ 	    break;
+-- 
+1.9.3
+
--- a/rpm.spec
+++ b/rpm.spec
@ -29,7 +29,7 @@
 Summary: The RPM package management system
 Name: rpm
 Version: %{rpmver}
-Release: %{?snapver:0.%{snapver}.}32%{?dist}
+Release: %{?snapver:0.%{snapver}.}33%{?dist}
 Group: System Environment/Base
 Url: http://www.rpm.org/
 Source0: http://rpm.org/releases/rpm-4.12.x/%{name}-%{srcver}.tar.bz2
@ -79,6 +79,8 @@ Patch123: rpm-4.13.0-weak-rich-consistency.patch
 Patch124: rpm-4.13.0-fuzz-settings.patch
 Patch125: rpm-4.13.0-patch-flags.patch
 Patch126: rpm-4.13.0-no-backup-if-mismatch.patch
+Patch127: rpm-4.13.0-rpmtd-out-of-bounds.patch
+Patch128: rpm-4.13.0-stringFormat-sigsegv.patch

 # These are not yet upstream
 Patch302: rpm-4.7.1-geode-i686.patch
@ -590,6 +592,10 @@ exit 0
 %doc doc/librpm/html/*

 %changelog
+* Mon Apr 25 2016 Lubos Kardos <lkardos@redhat.com> 4.13.0-0.rc1.33
+- Fix sigsegv in stringFormat() (#1316903)
+- Fix reading rpmtd behind its size in formatValue() (#1316896)
+
 * Fri Apr 15 2016 Lubos Kardos <lkardos@redhat.com> 4.13.0-0.rc1.32
 - escape %% chars in previous changelog record