Bug 75774 - Non-rpm file causes rpm to segfault, rather than reject it
Summary: Non-rpm file causes rpm to segfault, rather than reject it
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: rpm
Version: rawhide
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Paul Nasrat
QA Contact:
URL: http://www.mysql.com/Downloads/MySQL-...
Whiteboard:
Depends On:
Blocks: FC5Target
TreeView+ depends on / blocked
 
Reported: 2002-10-12 04:32 UTC by lukeh
Modified: 2007-11-30 22:10 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2006-02-12 18:16:02 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
RPM package that is *not* an RPM package and causes a segfault on rpm -Uvh (45.89 KB, application/octet-stream)
2002-10-12 14:33 UTC, lukeh 		no flags Details
View All

Description lukeh 2002-10-12 04:32:55 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020830

Description of problem:
I went to download MySQL from mysql.com, from the following webpage:

  http://www.mysql.com/downloads/mysql-3.23.html

I right-clicked on the link that said "Download" next to "Server (i386)", i.e.
the following link, and went "Download link" in my browser:

  http://www.mysql.com/Downloads/MySQL-3.23/MySQL-3.23.52-1.i386.rpm

It turns out that this link is *not* an RPM; rather, you get redirected to an
HTML download page with the actual download links on in each mirror.  However I
didn't know that I had just downloaded an HTML file with an .rpm extension, so I
proceeded to install the "rpm":

  rpm -Uhv MySQL-3.23.52-1.i386.rpm

I get a segfault.

Version-Release number of selected component (if applicable):
rpm-4.1-1.06
 (Psyche vanilla)

How reproducible:
Always

Steps to Reproduce:
[Follow the steps above]

Actual Results:  

   Segmentation fault

Expected Results:  I would have expected:

  MySQL-3.23.52-1.i386.rpm: not an rpm package (or package manifest):

Additional info:
Comment 1 Jeff Johnson 2002-10-12 13:14:59 UTC 
Yup. Can you attach a copy of the file here
that you tried to install so I can see
exactly what's wrong? Thanks
Comment 2 lukeh 2002-10-12 14:33:29 UTC 
Created attachment 80127 [details]
RPM package that is *not* an RPM package and causes a segfault on rpm -Uvh
Comment 3 lukeh 2002-10-12 14:35:55 UTC 
Interestingly, "less MySQL-3....rpm" gives the expected "not an rpm" message,
i.e. I guess querying the rpm file without installing it seems to work fine (I
don't know which options less invokes rpm with to list the files in the rpm).
Comment 4 Paul Nasrat 2005-10-31 17:45:59 UTC 
==13949== Stack overflow in thread 1: can't grow stack to 0x521FB9D8
==13949==
==13949== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==13949==  Access not within mapped region at address 0x521FB9D8
==13949==    at 0x1BAFB7DB: glob64 (in /usr/lib/librpmio-4.4.so)
==13949== Stack overflow in thread 1: can't grow stack to 0x521FB9CC

/**@todo Infinite loops through manifest files exist, operator error for now. */

looks like we're looking:

#0  *glob64 (
    pattern=0xbec68e50 "Worlds Most Popular Open Source Database\" /></td> </tr>
</table> </td> </tr>\t\t\t <tr> <td><img src=\"../images/pixel-trans.gif\"
width=\"1\" height=\"5\" alt=\"\" /></td> </tr> <tr> <td> <table border=\"0\"
widt"..., flags=8196, errfunc=0x24bd49 <Glob_error>, pglob=0xbec72274) at
/usr/include/bits/string3.h:75
...
#303 0x0024f8ef in *glob64 (pattern=0xa42d5d2 "Worlds Most Popular Open Source
Database\" /></td> </tr> </table> </td> </tr>\t\t\t <tr> <td><img
src=\"../images/pixel-trans.gif\" width=\"1\" height=\"5\" alt=\"\" /></td>
</tr> <tr> <td> <table border=\"0\" widt"..., flags=4096, errfunc=0x24bd49
<Glob_error>, pglob=0xbf85c8dc) at ../misc/glob.c:628
#304 0x0024bdfd in Glob (pattern=0xa42d5d2 "Worlds Most Popular Open Source
Database\" /></td> </tr> </table> </td> </tr>\t\t\t <tr> <td><img
src=\"../images/pixel-trans.gif\" width=\"1\" height=\"5\" alt=\"\" /></td>
</tr> <tr> <td> <table border=\"0\" widt"..., flags=4096, errfunc=0x24bd49
<Glob_error>, pglob=0xbf85c8dc) at rpmrpc.c:1469
#305 0x002368eb in rpmGlob (patterns=0xa007c50 "<!DOCTYPE HTML PUBLIC
\"-//W3C//DTD HTML 4.01 Transitional//EN\"> <html> <head> <title>MySQL |
Downloads | MySQL | Pick your closest mirror</title> <link rel=\"stylesheet\"
href=\"../styles/mysql.css\" type"..., argcPtr=0xbf85c974, argvPtr=0xbf85c970)
at macro.c:1729
#306 0x003ef608 in rpmReadPackageManifest (fd=0x3c, argcPtr=0xbf85e9e4,
argvPtr=0xbf85e9e8) at manifest.c:130
#307 0x0040a498 in rpmInstall (ts=0xa006dc8, ia=0x441de0, fileArgv=0x9fef068) at
rpminstall.c:617
#308 0x0804a0b2 in main (argc=4, argv=0xbf85ebc4) at ./rpmqv.c:790
#309 0x00b6850f in __libc_start_main () from /lib/libc.so.6
#310 0x08049351 in _start ()
Comment 5 Jeff Johnson 2006-02-12 18:16:02 UTC 
This prevents the segfault for the class of HTML problems:
Index: manifest.c
===============================================================
====
RCS file: /cvs/devel/rpm/lib/manifest.c,v
retrieving revision 2.15.2.2
diff -u -b -B -w -p -r2.15.2.2 manifest.c
--- manifest.c  20 Dec 2005 17:02:32 -0000      2.15.2.2
+++ manifest.c  12 Feb 2006 18:11:44 -0000
@@ -105,6 +105,13 @@ rpmRC rpmReadPackageManifest(FD_t fd, in
            break;
        }
 
+       /* XXX stop processing manifest if HTML is found. */
+#define        DOCTYPE_HTML_PUBLIC     "<!DOCTYPE HTML PUBLIC"
+       if (!strncmp(line, DOCTYPE_HTML_PUBLIC, sizeof(DOCTYPE_HTML_PUBLIC)-1)) {
+           rpmrc = RPMRC_NOTFOUND;
+           goto exit;
+       }
+
        /* Skip comments. */
        if ((se = strchr(s, '#')) != NULL) *se = '\0';
 

The patch is a bit pugly, that can't be helped afaik.

Checked into rpm cvs, will be in rpm-4.4.5-0.10 when built.
Note You need to log in before you can comment on or make changes to this bug.