Bug 46474 - rpm 4.0.2-8 seg faults on parameterized macros
rpm 4.0.2-8 seg faults on parameterized macros
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: rpm-build (Show other bugs)
7.1
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Jeff Johnson
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-06-28 20:52 EDT by Michael Jennings (KainX)
Modified: 2007-04-18 12:34 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-06-30 12:31:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael Jennings (KainX) 2001-06-28 20:52:59 EDT
Description of Problem:

There is a typo in rpmio/macro.c in the grabArgs() function.  This typo
causes segmentation faults due to a NULL pointer dereference.  Here is the
patch:

diff -Nur rpm-4.0.2.orig/rpmio/macro.c rpm-4.0.2/rpmio/macro.c
--- rpm-4.0.2.orig/rpmio/macro.c     Thu Jan 18 17:47:25 2001
+++ rpm-4.0.2/rpmio/macro.c      Thu Jun 28 17:47:08 2001
@@ -801,7 +801,7 @@
     /* Build argv array */
     argv = (const char **) alloca((argc + 1) * sizeof(char *));
     be[-1] = ' ';      /*  be - 1 == b + strlen(b) == buf + strlen(buf)  
*/
-    buf[0] = '\0';
+    be[0] = '\0';
     b = buf;
     for (c = 0; c < argc; c++) {
        argv[c] = b;

Setting *buf to NUL erases the first character of the macro name.  It also
causes buf, and by proxy, b, to be empty strings.  Thus, argv[0] becomes
an empty string.  The subsequent call to strchr(b, ' ') returns NULL
(obviously, since b is empty), and the dereference of b on the line after
causes rpmb to seg fault.  I believe this bug would affect any
parameterized macro.

I would supply a simple test case, but it would take me longer to
construct one than it should take for someone to look at the code and
realize the typo....  :-)
Comment 1 Jeff Johnson 2001-06-30 12:33:26 EDT
Yup. Fixed in rpm-4.0.3 something.

Note You need to log in before you can comment on or make changes to this bug.