Bug 46474 - rpm 4.0.2-8 seg faults on parameterized macros
Summary: rpm 4.0.2-8 seg faults on parameterized macros
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: rpm-build   
(Show other bugs)
Version: 7.1
Hardware: i386 Linux
medium
high
Target Milestone: ---
Assignee: Jeff Johnson
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-06-29 00:52 UTC by Michael Jennings (KainX)
Modified: 2007-04-18 16:34 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-06-30 16:31:37 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Michael Jennings (KainX) 2001-06-29 00:52:59 UTC
Description of Problem:

There is a typo in rpmio/macro.c in the grabArgs() function.  This typo
causes segmentation faults due to a NULL pointer dereference.  Here is the
patch:

diff -Nur rpm-4.0.2.orig/rpmio/macro.c rpm-4.0.2/rpmio/macro.c
--- rpm-4.0.2.orig/rpmio/macro.c     Thu Jan 18 17:47:25 2001
+++ rpm-4.0.2/rpmio/macro.c      Thu Jun 28 17:47:08 2001
@@ -801,7 +801,7 @@
     /* Build argv array */
     argv = (const char **) alloca((argc + 1) * sizeof(char *));
     be[-1] = ' ';      /*  be - 1 == b + strlen(b) == buf + strlen(buf)  
*/
-    buf[0] = '\0';
+    be[0] = '\0';
     b = buf;
     for (c = 0; c < argc; c++) {
        argv[c] = b;

Setting *buf to NUL erases the first character of the macro name.  It also
causes buf, and by proxy, b, to be empty strings.  Thus, argv[0] becomes
an empty string.  The subsequent call to strchr(b, ' ') returns NULL
(obviously, since b is empty), and the dereference of b on the line after
causes rpmb to seg fault.  I believe this bug would affect any
parameterized macro.

I would supply a simple test case, but it would take me longer to
construct one than it should take for someone to look at the code and
realize the typo....  :-)

Comment 1 Jeff Johnson 2001-06-30 16:33:26 UTC
Yup. Fixed in rpm-4.0.3 something.


Note You need to log in before you can comment on or make changes to this bug.