Bug 28645 - Fix for cpio code
Fix for cpio code
Product: Red Hat Linux
Classification: Retired
Component: rpm (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jeff Johnson
David Lawrence
Depends On:
  Show dependency treegraph
Reported: 2001-02-21 13:07 EST by Joe Orton
Modified: 2007-04-18 12:31 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-02-22 11:25:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Fixes for cpio (2.06 KB, patch)
2001-02-21 13:08 EST, Joe Orton
no flags Details | Diff

  None (edit)
Description Joe Orton 2001-02-21 13:07:20 EST
The cpio code failed on AIX 4.3.

This patch fixes what looks like a serious problem: the cpio code does a
strlen() on strings which are not NUL-terminated.

It also switches to using malloc/free rather than alloca in this code:
combined, but I don't know why this is necessary.

These changes make AIX 4.3 work again.  (Neither alone was sufficient.)
Comment 1 Joe Orton 2001-02-21 13:08:55 EST
Created attachment 10680 [details]
Fixes for cpio
Comment 2 Jeff Johnson 2001-02-22 11:14:20 EST
Hmmm, I'd like to understand why malloc is necessary, but you're mostly on the
track here.

FWIW, I know the problem well, as purify complains bitterly about the end
pointer handling, first seen by me like 3 years ago. Do you have access to
purify (or other malloc checker) to see what else is wrong with the silly
and unecessary import of a useless function (strtol would work just as
well IMHO), I'm tempted to just rip the function entirely.
Comment 3 Joe Orton 2001-02-22 11:25:38 EST
No, I don't have purify access, sorry. Taking the function out might cause more
portability problems, I don't know.
Comment 4 Jeff Johnson 2001-04-17 14:11:24 EDT
Here's a "fix" to the problem, basically equivalent to what you
proposed. Will be in rpm-4.0.3-0.5.

Index: lib/cpio.c
RCS file: /cvs/devel/rpm/lib/cpio.c,v
retrieving revision
diff -u -r2.71.2.7 cpio.c
--- lib/cpio.c  2001/04/02 17:00:16
+++ lib/cpio.c  2001/04/17 18:09:03
@@ -209,14 +209,14 @@
     if (*end)
        *endptr = ((char *)str) + (end - buf);  /* XXX discards const */
-       *endptr = ((char *)str) + strlen(str);
+       *endptr = ((char *)str) + strlen(buf);

     return ret;

 #define GET_NUM_FIELD(phys, log) \
        log = strntoul(phys, &end, 16, sizeof(phys)); \
-       if (*end) return CPIOERR_BAD_HEADER;
+       if ( (end - phys) != sizeof(phys) ) return CPIOERR_BAD_HEADER;
 #define SET_NUM_FIELD(phys, val, space) \
        sprintf(space, "%8.8lx", (unsigned long) (val)); \
        memcpy(phys, space, 8);

Note You need to log in before you can comment on or make changes to this bug.