diff --git a/SOURCES/Fix-a-memory-leak-on-invalid-input.patch b/SOURCES/Fix-a-memory-leak-on-invalid-input.patch new file mode 100644 index 0000000..a999eb9 --- /dev/null +++ b/SOURCES/Fix-a-memory-leak-on-invalid-input.patch @@ -0,0 +1,31 @@ +From 47af5b2365a306532d1e0b786f0d7f9754f914cd Mon Sep 17 00:00:00 2001 +From: Peter Pentchev +Date: Mon, 1 Jun 2020 10:25:34 +0300 +Subject: [PATCH] Fix a memory leak on invalid input. + +--- + src/drpm_decompstrm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/drpm_decompstrm.c b/src/drpm_decompstrm.c +index d885dcf..ec3115e 100644 +--- a/src/drpm_decompstrm.c ++++ b/src/drpm_decompstrm.c +@@ -746,14 +746,14 @@ int readchunk_zstd(struct decompstrm *strm) + return DRPM_ERR_IO; + } + ++ if (in_len == 0) ++ return DRPM_ERR_FORMAT; ++ + size_t const buffOutSize = ZSTD_DStreamOutSize(); + void* const buffOut = malloc(buffOutSize); + if (buffOut == NULL) + return DRPM_ERR_MEMORY; + +- if (in_len == 0) +- return DRPM_ERR_FORMAT; +- + ZSTD_inBuffer input = { in_buffer, in_len, 0 }; + + while (input.pos < input.size) { diff --git a/SPECS/drpm.spec b/SPECS/drpm.spec index 7e2bc77..5dae5f8 100644 --- a/SPECS/drpm.spec +++ b/SPECS/drpm.spec @@ -7,7 +7,7 @@ Name: drpm Version: 0.4.1 -Release: 2%{?dist} +Release: 3%{?dist} Summary: A library for making, reading and applying deltarpm packages # the entire source code is LGPLv2+, except src/drpm_diff.c and src/drpm_search.c which are BSD License: LGPLv2+ and BSD @@ -17,6 +17,7 @@ Source: %{url}/releases/download/%{version}/%{name}-%{version}.tar.bz2 # add workaround for gcc7 on ppc64le temporary before it's fixed in gcc # https://bugzilla.redhat.com/show_bug.cgi?id=1420350 Patch1: drpm-0.3.0-workaround-ppc64le-gcc.patch +Patch2: Fix-a-memory-leak-on-invalid-input.patch BuildRequires: cmake >= 2.8.5 BuildRequires: gcc @@ -85,6 +86,9 @@ popd %{_libdir}/pkgconfig/drpm.pc %changelog +* Tue Aug 11 2020 Nicola Sella - 0.4.1-3 +- Fix a memory leak on invalid input (RhBug:1866786) + * Tue Jun 02 2020 Ales Matej 0.4.1-2 - Rebuild with zstd support (RhBug:1842036)