From d5eabb9c2d051492f7686d8f01a8eccf83ae00a4 Mon Sep 17 00:00:00 2001
From: Michal Grzedzicki <mge@meta.com>
Date: Jul 03 2024 17:12:40 +0000
Subject: Fix segfault in rpm2extents where headerFree() crashes trying to free

uninitialized header value in process_package().

---

diff --git a/SOURCES/0036-rpmcow-fix-segfault-in-rpm2extents.patch b/SOURCES/0036-rpmcow-fix-segfault-in-rpm2extents.patch
new file mode 100644
index 0000000..97c8807
--- /dev/null
+++ b/SOURCES/0036-rpmcow-fix-segfault-in-rpm2extents.patch
@@ -0,0 +1,11 @@
+--- rpm2extents.c	2024-07-03 07:13:36.195332381 -0700
++++ rpm2extents.c	2024-07-03 07:13:43.606553540 -0700
+@@ -269,7 +269,7 @@
+
+     FD_t fdo;
+     FD_t gzdi;
+-    Header h, sigh;
++    Header h=NULL, sigh=NULL;
+     long fundamental_block_size = sysconf(_SC_PAGESIZE);
+     rpmRC rc = RPMRC_OK;
+     rpm_mode_t mode;
diff --git a/SPECS/rpm.spec b/SPECS/rpm.spec
index ec4a51f..81b40e3 100644
--- a/SPECS/rpm.spec
+++ b/SPECS/rpm.spec
@@ -42,7 +42,7 @@
 
 %global rpmver 4.14.3
 #global snapver rc2
-%global rel 26.3
+%global rel 26.4
 
 %global srcver %{version}%{?snapver:-%{snapver}}
 %global srcdir %{?snapver:testing}%{!?snapver:%{name}-%(echo %{version} | cut -d'.' -f1-2).x}
@@ -249,6 +249,7 @@ Patch9931: 0031-rpmcow-denylist.patch
 Patch9932: 0032-rpmcow-workaround.patch
 Patch9933: 0033-rpmcow-fix-stack-overflow-in-rpm2extents.patch
 Patch9934: 0034-rpmcow-fix-issue-for-transaction-with-transcoded-and-untranscoded-packages.patch
+Patch9935: 0036-rpmcow-fix-segfault-in-rpm2extents.patch
 Provides: rpm(pr1470)
 Provides: rpm(pr1470_1)
 
@@ -846,6 +847,9 @@ make check || cat tests/rpmtests.log
 %doc doc/librpm/html/*
 
 %changelog
+* Wed Jul 3 2023 Michal Grzedzicki <mge@meta.com> - 4.14.3-26.4
+- Fix segfault in rpm2extents
+
 * Wed Sep 13 2023 Richard Phibel <richardphibel@meta.com> - 4.14.3-26.3
 - Fix IMA signature lengths assumed constant