Description of problem: The file with the hex reperesentation of "25 21" behaves strangely when 4.12.0.1 is compiled with ASAN and afl-fuzz under Debian Sid. Version-Release number of selected component (if applicable): 4.12.0.1 How reproducible: In my case, 100% of the time. Steps to Reproduce: 1. Build rpm with -fsanitize=address 2. echo '2521' | xxd -r -p > a.rpm 3. rpm -qlp a.rpm Actual results: root@1442a2c3a089:~/o/master/crashes# rpm -qlp id\:000000\,sig\:06\,src\:000093\,op\:havoc\,rep\:4 error: rpmdb: BDB0113 Thread/process 16758/139899090507648 failed: BDB1507 Thread died in Berkeley DB library error: db5 error(-30973) from dbenv->failchk: BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery error: cannot open Packages index using db5 - (-30973) error: cannot open Packages database in /root/.rpmdb ================================================================= ==635==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000025f3 at pc 0x7fc5e406e9d1 bp 0x7ffca44a3270 sp 0x7ffca44a3268 READ of size 1 at 0x6020000025f3 thread T0 #0 0x7fc5e406e9d0 (/usr/lib/x86_64-linux-gnu/librpmio.so.3+0x239d0) #1 0x7fc5e407d7dc in rpmExpand (/usr/lib/x86_64-linux-gnu/librpmio.so.3+0x327dc) #2 0x7fc5e446bb06 (/usr/lib/x86_64-linux-gnu/librpm.so.3+0x166b06) #3 0x7fc5e441c111 in rpmcliArgIter (/usr/lib/x86_64-linux-gnu/librpm.so.3+0x117111) #4 0x7fc5e441c434 in rpmcliQuery (/usr/lib/x86_64-linux-gnu/librpm.so.3+0x117434) #5 0x402ee4 (/usr/bin/rpm+0x402ee4) #6 0x7fc5e3899b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #7 0x404513 (/usr/bin/rpm+0x404513) 0x6020000025f3 is located 0 bytes to the right of 3-byte region [0x6020000025f0,0x6020000025f3) allocated by thread T0 here: #0 0x7fc5e47b537a in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9437a) #1 0x7fc5e40925b0 in rmalloc (/usr/lib/x86_64-linux-gnu/librpmio.so.3+0x475b0) SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x0c047fff8460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff84a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[03]fa 0x0c047fff84c0: fa fa 03 fa fa fa 00 00 fa fa 03 fa fa fa fd fd 0x0c047fff84d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff84e0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fff84f0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8500: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==635==ABORTING Expected results: ASAN not complaining Additional info: Please correct the tags if I got them wrong.
I meant "built with afl-gcc". You can easily reproduce this bug using github.com/d33tah/aflize docker image and building an aflized version of rpm.
Fixed upstream: https://github.com/rpm-software-management/rpm/commit/54f24ec5486bdacde9419466a2c27defaddf508e
Fixed in rpm-4.13.0-0.rc1.7.fc24