teknoraver / rpms / rpm

Forked from rpms/rpm 4 months ago
Clone
Source Code
GIT

Blame rpm-4.13.0-memory-error.patch

c10s-sig-hyperscale c8 c8s c8s-sig-hyperscale c9 c9s-sig-hyperscale
  1.   8b1762e9545628a61fa1dfb389946ce2a7d6d6ce
  2.   rpm-4.13.0-memory-error.patch
Blob History Raw
Lubos Kardos c235b1 
From 54f24ec5486bdacde9419466a2c27defaddf508e Mon Sep 17 00:00:00 2001
Lubos Kardos c235b1 
From: Lubos Kardos <lkardos@redhat.com>
Lubos Kardos c235b1 
Date: Mon, 21 Sep 2015 11:02:45 +0200
Lubos Kardos c235b1 
Subject: [PATCH] Fix reading a memory right after the end of an allocated
Lubos Kardos c235b1 
 area.
Lubos Kardos c235b1
Lubos Kardos c235b1 
The problem evinced itself when somebody tried to use the macro
Lubos Kardos c235b1 
expansion on the string "%!". The problem was revealed by compiling
Lubos Kardos c235b1 
with "--fsanitize=memory" (rhbz:#1260248).
Lubos Kardos c235b1 
---
Lubos Kardos c235b1 
 rpmio/macro.c | 2 +-
Lubos Kardos c235b1 
 1 file changed, 1 insertion(+), 1 deletion(-)
Lubos Kardos c235b1
Lubos Kardos c235b1 
diff --git a/rpmio/macro.c b/rpmio/macro.c
Lubos Kardos c235b1 
index 46e6b87..4b3c41b 100644
Lubos Kardos c235b1 
--- a/rpmio/macro.c
Lubos Kardos c235b1 
+++ b/rpmio/macro.c
Lubos Kardos c235b1 
@@ -993,7 +993,7 @@ expandMacro(MacroBuf mb, const char *src, size_t slen)
Lubos Kardos c235b1 
 	chkexist = 0;
Lubos Kardos c235b1 
 	switch ((c = *s)) {
Lubos Kardos c235b1 
 	default:		/* %name substitution */
Lubos Kardos c235b1 
-		while (strchr("!?", *s) != NULL) {
Lubos Kardos c235b1 
+		while (*s != '\0' && strchr("!?", *s) != NULL) {
Lubos Kardos c235b1 
 			switch(*s++) {
Lubos Kardos c235b1 
 			case '!':
Lubos Kardos c235b1 
 				negate = ((negate + 1) % 2);
Lubos Kardos c235b1 
--
Lubos Kardos c235b1 
1.9.3
Lubos Kardos c235b1

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation