Bug 36845 - va_list misuse leads to segfault
va_list misuse leads to segfault
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: rpm (Show other bugs)
7.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jeff Johnson
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-04-20 11:42 EDT by franz.sirl-kernel
Modified: 2007-04-18 12:32 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-04-20 11:42:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description franz.sirl-kernel 2001-04-20 11:42:22 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.8.1+)
Gecko/20010418


You can't use a va_list in a loop like it is done in
rpmio/rpmlog.c:vrpmlog(), that's non-portable C and breaks on platforms
that pass a va_list by reference, eg. PPC. va_list needs to be copied for
every use using __va_copy.

Reproducible: Always
Steps to Reproduce:
1. rpm -q --changelog rpm
2.
3.
	

--- rpm-4.0.2/rpmio/rpmlog.c.~1~        Tue Feb 13 10:23:33 2001
+++ rpm-4.0.2/rpmio/rpmlog.c    Thu Mar 15 14:18:07 2001
@@ -105,6 +105,7 @@ static void vrpmlog (unsigned code, cons
     /*@unused@*/ int fac = RPMLOG_FAC(code);
     char *msgbuf, *msg;
     int msgnb = BUFSIZ, nb;
+    va_list apc;
     FILE * msgout = stderr;
     rpmlogRec rec;

@@ -117,7 +118,8 @@ static void vrpmlog (unsigned code, cons
     /* Allocate a sufficently large buffer for output. */
     while (1) {
        /*@-unrecog@*/
-       nb = vsnprintf(msgbuf, msgnb, fmt, ap);
+       __va_copy(apc, ap);
+       nb = vsnprintf(msgbuf, msgnb, fmt, apc);
        /*@=unrecog@*/
        if (nb > -1 && nb < msgnb)
            break;
Comment 1 Jeff Johnson 2001-04-21 01:59:44 EDT
Fixed in rpm CVS, should be in rpm-4.0.3-0.8. Thanks for the patch.

Note You need to log in before you can comment on or make changes to this bug.