Description of problem: rpm2html crashes when reading package header of some wrong formed RPMS packages, using librpm404 (rpm-4.1 is safe, but I cannot use it to reindex my whole rpm database on fr2.rpmfind.net, because there are performance issues. The same amount of input rpm requires 4 hours processing with rpm-4.0.4, and 12 hours with rpm-4.1 libs) Version-Release number of selected component (if applicable): Red Hat 8.0, librpm4.0.4 How reproducible: when rpm2html parses bad formed RPM packages, for example in ftp3.sourceforge.net/pub/sourceforge/celticlegend/celticlegends-0.11-beta.i386.rpm The stack is : rpm2html: indexing /var/ftp/linux/sourceforge indexing SourceForge Scanning directory /var/ftp/linux/sourceforge for RPMs warning: Expected size: 1291231 = lead(96)+sigs(100)+pad(4)+data(1291031) warning: Actual size: 1294910 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 8192 (LWP 31269)] 0x4011eda2 in regionSwab (entry=0x8081e6c, il=33, dl=2010, pe=0x8083d48, dataStart=0x8083f58 "", regionid=-800) at header.c:470 470 *it = htons(*it); (gdb) bt #0 0x4011eda2 in regionSwab (entry=0x8081e6c, il=33, dl=2010, pe=0x8083d48, dataStart=0x8083f58 "", regionid=-800) at header.c:470 #1 0x4011fc4e in headerLoad (uh=0x8083c30) at header.c:931 #2 0x401203a7 in headerRead (fd=0x80818c8, magicp=HEADER_MAGIC_YES) at header.c:1168 #3 0x40127aa3 in headerRead (fd=0x80818c8, magicp=HEADER_MAGIC_YES) at hdrinline.h:203 #4 0x401276c3 in readPackageHeaders (fd=0x80818c8, leadPtr=0xbffff230, sigs=0xbffff22c, hdrPtr=0xbffff2c8) at package.c:182 #5 0x40127975 in rpmReadPackageHeader (fd=0x80818c8, hdrp=0xbffff2c8, isSource=0xbffff2cc, major=0x0, minor=0x0) at package.c:266 #6 0x08059729 in rpmOpen ( nameRpm=0x80808eb "celticlegends-0.11-beta.i386.rpm", dir=0x807be08, tree=0x8080808) at rpmopen.c:1022 #7 0x08059bd3 in rpmOneDirScan (dir=0x807be08, tree=0x8080808) at rpmopen.c:1244 #8 0x08059b92 in rpmOneDirScan (dir=0x807be08, tree=0x807f740) at rpmopen.c:1271 #9 0x08059d37 in rpmDirScan (dir=0x807be08, tree=0x806c7e0) at rpmopen.c:1309 #10 0x0805a060 in rpmDirScanOneDir (directory=0x807be08 "P¼\a\b") at rpmopen.c:1446 #11 0x08055661 in main (argc=4, argv=0xbffff8b4) at rpm2html.c:180 #12 0x420158d4 in __libc_start_main () from /lib/i686/libc.so.6 (gdb) b rpmReadSignature Breakpoint 1 at 0x4013a72c: file signature.c, line 160. (gdb) r The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/bellet/cvs/rpm2html-rpm404/rpm2html -dir /var/ftp/linux/sourceforge rpm2html-local.config Breakpoint 1 at 0x8049938 Breakpoint 1 at 0x4013a72c: file signature.c, line 160. [New Thread 8192 (LWP 31408)] error: Unable to open /usr/local/lib/rpm/rpmrc for reading: No such file or directory. rpm2html: indexing /var/ftp/linux/sourceforge indexing SourceForge Scanning directory /var/ftp/linux/sourceforge for RPMs [Switching to Thread 8192 (LWP 31408)] Breakpoint 1, rpmReadSignature (fd=0x80818c8, headerp=0xbffff22c, sig_type=RPMSIGTYPE_HEADERSIG) at signature.c:160 160 Header h = NULL; (gdb) finish Run till exit from #0 rpmReadSignature (fd=0x80818c8, headerp=0xbffff22c, sig_type=RPMSIGTYPE_HEADERSIG) at signature.c:160 warning: Expected size: 1291231 = lead(96)+sigs(100)+pad(4)+data(1291031) warning: Actual size: 1294910 0x40127687 in readPackageHeaders (fd=0x80818c8, leadPtr=0xbffff230, sigs=0xbffff22c, hdrPtr=0xbffff2c8) at package.c:179 179 rc = rpmReadSignature(fd, sigs, lead->signature_type); Value returned is $1 = RPMRC_BADSIZE (gdb) --> A possible patch is to exit from readPackageHeaders() when rpmReadSignature() returns RPMRC_BADSIZE. --- rpm-4.0.3/lib/package.c.bak Wed Jul 11 04:05:22 2001 +++ rpm-4.0.3/lib/package.c Sun Nov 25 02:19:07 2001 @@ -135,7 +135,7 @@ case 3: case 4: rc = rpmReadSignature(fd, sigs, lead->signature_type); - if (rc == RPMRC_FAIL) + if (rc == RPMRC_FAIL || rc == RPMRC_BADSIZE) return rc; *hdr = headerRead(fd, (lead->major >= 3) ? HEADER_MAGIC_YES : HEADER_MAGIC_NO);
Avoiding segfaults when fed random data is (of course) the entire reason why rpm-4.1 verifies signatures/digests when reading headers. I'm almost certain that this segfault is -- like most segfaults in rpm -- caused by bad data in headers. Returning RPMRC_BADSIZE is certainly doable, but is a little trickier than above. If rpm-4.1 "works" performs equivalently to rpm-4.0.4 with signature/digest checking disabled (it should), then I suggest fixing the problem there, not in rpm-4.0.4.
*** This bug has been marked as a duplicate of 83320 ***
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.