- Fix sigsegv in stringFormat()

- resolves: #1316903 - Fix reading rpmtd behind its size in formatValue() - resolves: #1316896
2016-04-25 15:48:15 +02:00 · 2016-04-25 15:48:15 +02:00 · 165614f3dd
parent 367ec3f990
commit 165614f3dd
3 changed files with 67 additions and 1 deletions
--- a/rpm-4.13.0-rpmtd-out-of-bounds.patch
+++ b/rpm-4.13.0-rpmtd-out-of-bounds.patch
@ -0,0 +1,27 @@
+From b722cf86200505b3e3fcbb2095c4ff61f1f5a2ab Mon Sep 17 00:00:00 2001
+From: Lubos Kardos <lkardos@redhat.com>
+Date: Mon, 25 Apr 2016 13:31:08 +0200
+Subject: [PATCH 1/2] Fix reading rpmtd behind its size in formatValue()
+ (rhbz:1316896)
+
+When it is read from index higher than size of rpmtd, return "(none)".
+---
+ lib/headerfmt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/headerfmt.c b/lib/headerfmt.c
+index fb29d6f..f6fd707 100644
+--- a/lib/headerfmt.c
+++ b/lib/headerfmt.c
+@@ -623,7 +623,7 @@ static char * formatValue(headerSprintfArgs hsa, sprintfTag tag, int element)
+     char * t, * te;
+     rpmtd td;
+ 
+-    if ((td = getData(hsa, tag->tag))) {
+    if ((td = getData(hsa, tag->tag)) && td->count > element) {
+ 	td->ix = element; /* Ick, use iterators instead */
+ 	val = tag->fmt(td);
+     } else {
+-- 
+1.9.3
+
--- a/rpm-4.13.0-stringFormat-sigsegv.patch
+++ b/rpm-4.13.0-stringFormat-sigsegv.patch
@ -0,0 +1,33 @@
+From cddf43a56f19711866371f02f378dc4095b0fadd Mon Sep 17 00:00:00 2001
+From: Lubos Kardos <lkardos@redhat.com>
+Date: Mon, 25 Apr 2016 14:38:47 +0200
+Subject: [PATCH 2/2] Fix sigsegv in stringFormat() (rhbz:1316903)
+
+Just skip duping of NULL and return it. Returned NULL is handled in
+upper layer.
+---
+ lib/formats.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/lib/formats.c b/lib/formats.c
+index e3626ed..bad0b2d 100644
+--- a/lib/formats.c
+++ b/lib/formats.c
+@@ -44,9 +44,12 @@ static char * stringFormat(rpmtd td)
+ 	case RPM_NUMERIC_CLASS:
+ 	    rasprintf(&val, "%" PRIu64, rpmtdGetNumber(td));
+ 	    break;
+-	case RPM_STRING_CLASS:
+-	    val = xstrdup(rpmtdGetString(td));
+	case RPM_STRING_CLASS: {
+	    const char *str = rpmtdGetString(td);
+	    if (str)
+		val = xstrdup(str);
+ 	    break;
+	}
+ 	case RPM_BINARY_CLASS:
+ 	    val = pgpHexStr(td->data, td->count);
+ 	    break;
+-- 
+1.9.3
+
--- a/rpm.spec
+++ b/rpm.spec
@ -27,7 +27,7 @@
 Summary: The RPM package management system
 Name: rpm
 Version: %{rpmver}
-Release: %{?snapver:0.%{snapver}.}16%{?dist}
+Release: %{?snapver:0.%{snapver}.}17%{?dist}
 Group: System Environment/Base
 Url: http://www.rpm.org/
 Source0: http://rpm.org/releases/rpm-4.12.x/%{name}-%{srcver}.tar.bz2
@ -68,6 +68,8 @@ Patch110: rpm-4.12.0-Fix-Python3-import.patch
 Patch111: rpm-4.12.x-weakdeps-manpage.patch
 Patch112: rpm-4.12.0-fix-crash-on-corrupted.patch
 Patch113: rpm-4.12.0-unlimited-macro-expand.patch
+Patch114: rpm-4.13.0-rpmtd-out-of-bounds.patch
+Patch115: rpm-4.13.0-stringFormat-sigsegv.patch

 # These are not yet upstream
 Patch302: rpm-4.7.1-geode-i686.patch
@ -552,6 +554,10 @@ exit 0
 %doc doc/librpm/html/*

 %changelog
+* Mon Apr 25 2016 Lubos Kardos <lkardos@redhat.com> - 4.12.0.1-17
+- Fix sigsegv in stringFormat() (#1316903)
+- Fix reading rpmtd behind its size in formatValue() (#1316896)
+
 * Mon Feb 29 2016 Lubos Kardos <lkardos@redhat.com> - 4.12.0.1-16
 - Fix problems caused by the changes done in the previous version