Bug 28645 - Fix for cpio code
Summary: Fix for cpio code
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: rpm   
(Show other bugs)
Version: 7.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Jeff Johnson
QA Contact: David Lawrence
Depends On:
TreeView+ depends on / blocked
Reported: 2001-02-21 18:07 UTC by Joe Orton
Modified: 2007-04-18 16:31 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-02-22 16:25:44 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Fixes for cpio (2.06 KB, patch)
2001-02-21 18:08 UTC, Joe Orton
no flags Details | Diff

Description Joe Orton 2001-02-21 18:07:20 UTC
The cpio code failed on AIX 4.3.

This patch fixes what looks like a serious problem: the cpio code does a
strlen() on strings which are not NUL-terminated.

It also switches to using malloc/free rather than alloca in this code:
combined, but I don't know why this is necessary.

These changes make AIX 4.3 work again.  (Neither alone was sufficient.)

Comment 1 Joe Orton 2001-02-21 18:08:55 UTC
Created attachment 10680 [details]
Fixes for cpio

Comment 2 Jeff Johnson 2001-02-22 16:14:20 UTC
Hmmm, I'd like to understand why malloc is necessary, but you're mostly on the
track here.

FWIW, I know the problem well, as purify complains bitterly about the end
pointer handling, first seen by me like 3 years ago. Do you have access to
purify (or other malloc checker) to see what else is wrong with the silly
and unecessary import of a useless function (strtol would work just as
well IMHO), I'm tempted to just rip the function entirely.

Comment 3 Joe Orton 2001-02-22 16:25:38 UTC
No, I don't have purify access, sorry. Taking the function out might cause more
portability problems, I don't know.

Comment 4 Jeff Johnson 2001-04-17 18:11:24 UTC
Here's a "fix" to the problem, basically equivalent to what you
proposed. Will be in rpm-4.0.3-0.5.

Index: lib/cpio.c
RCS file: /cvs/devel/rpm/lib/cpio.c,v
retrieving revision
diff -u -r2.71.2.7 cpio.c
--- lib/cpio.c  2001/04/02 17:00:16
+++ lib/cpio.c  2001/04/17 18:09:03
@@ -209,14 +209,14 @@
     if (*end)
        *endptr = ((char *)str) + (end - buf);  /* XXX discards const */
-       *endptr = ((char *)str) + strlen(str);
+       *endptr = ((char *)str) + strlen(buf);

     return ret;

 #define GET_NUM_FIELD(phys, log) \
        log = strntoul(phys, &end, 16, sizeof(phys)); \
-       if (*end) return CPIOERR_BAD_HEADER;
+       if ( (end - phys) != sizeof(phys) ) return CPIOERR_BAD_HEADER;
 #define SET_NUM_FIELD(phys, val, space) \
        sprintf(space, "%8.8lx", (unsigned long) (val)); \
        memcpy(phys, space, 8);

Note You need to log in before you can comment on or make changes to this bug.