- Fix crash when parsing corrupted RPM file

- Resolves: #1273360
2015-11-20 14:05:37 +01:00 · 2015-11-20 14:05:37 +01:00 · afee5b61a3
parent b0b7f20ef8
commit afee5b61a3
2 changed files with 64 additions and 1 deletions
--- a/rpm-4.12.0-fix-crash-on-corrupted.patch
+++ b/rpm-4.12.0-fix-crash-on-corrupted.patch
@ -0,0 +1,59 @@
+From 9c36ca411332d2718eca339e867561c39abc256b Mon Sep 17 00:00:00 2001
+From: Lubos Kardos <lkardos@redhat.com>
+Date: Fri, 6 Nov 2015 14:49:59 +0100
+Subject: [PATCH] Fix crash when parsing corrupted RPM file (rhbz:1273360)
+
+---
+ lib/legacy.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/lib/legacy.c b/lib/legacy.c
+index 422c2b0..8ba7bbd 100644
+--- a/lib/legacy.c
+++ b/lib/legacy.c
+@@ -25,7 +25,7 @@ static void compressFilelist(Header h)
+     char ** dirNames;
+     const char ** baseNames;
+     uint32_t * dirIndexes;
+-    rpm_count_t count;
+    rpm_count_t count, realCount = 0;
+     int i;
+     int dirIndex = -1;
+ 
+@@ -58,6 +58,7 @@ static void compressFilelist(Header h)
+ 	    while ((i = rpmtdNext(&fileNames)) >= 0) {
+ 		dirIndexes[i] = dirIndex;
+ 		baseNames[i] = rpmtdGetString(&fileNames);
+		realCount++;
+ 	    }
+ 	    goto exit;
+ 	}
+@@ -87,19 +88,20 @@ static void compressFilelist(Header h)
+ 	    (needle = bsearch(&filename, dirNames, dirIndex + 1, sizeof(dirNames[0]), dncmp)) == NULL) {
+ 	    char *s = xmalloc(len + 1);
+ 	    rstrlcpy(s, filename, len + 1);
+-	    dirIndexes[i] = ++dirIndex;
+	    dirIndexes[realCount] = ++dirIndex;
+ 	    dirNames[dirIndex] = s;
+ 	} else
+-	    dirIndexes[i] = needle - dirNames;
+	    dirIndexes[realCount] = needle - dirNames;
+ 
+ 	*baseName = savechar;
+-	baseNames[i] = baseName;
+	baseNames[realCount] = baseName;
+	realCount++;
+     }
+ 
+ exit:
+     if (count > 0) {
+-	headerPutUint32(h, RPMTAG_DIRINDEXES, dirIndexes, count);
+-	headerPutStringArray(h, RPMTAG_BASENAMES, baseNames, count);
+	headerPutUint32(h, RPMTAG_DIRINDEXES, dirIndexes, realCount);
+	headerPutStringArray(h, RPMTAG_BASENAMES, baseNames, realCount);
+ 	headerPutStringArray(h, RPMTAG_DIRNAMES, 
+ 			     (const char **) dirNames, dirIndex + 1);
+     }
+-- 
+1.9.3
+
--- a/rpm.spec
+++ b/rpm.spec
@ -27,7 +27,7 @@
 Summary: The RPM package management system
 Name: rpm
 Version: %{rpmver}
-Release: %{?snapver:0.%{snapver}.}13%{?dist}
+Release: %{?snapver:0.%{snapver}.}14%{?dist}
 Group: System Environment/Base
 Url: http://www.rpm.org/
 Source0: http://rpm.org/releases/rpm-4.12.x/%{name}-%{srcver}.tar.bz2
@ -66,6 +66,7 @@ Patch108: rpm-4.12.0-gpg-passphrase1.patch
 Patch109: rpm-4.12.0-gpg-passphrase2.patch
 Patch110: rpm-4.12.0-Fix-Python3-import.patch
 Patch111: rpm-4.12.x-weakdeps-manpage.patch
+Patch112: rpm-4.12.0-fix-crash-on-corrupted.patch

 # These are not yet upstream
 Patch302: rpm-4.7.1-geode-i686.patch
@ -550,6 +551,9 @@ exit 0
 %doc doc/librpm/html/*

 %changelog
+* Fri Nov 20 2015 Lubos Kardos <lkardos@redhat.com> - 4.12.0.1-14
+- Fix crash when parsing corrupted RPM file (#1273360)
+
 * Fri Oct 30 2015 Florian Festi <ffesti@rpm.org> - 4.12.0.1-13
 - Add query options for weak dependencies to the man page (#1235230)