RPM Package Manager, CVS Repository
http://rpm5.org/cvs/
____________________________________________________________________________
Server: rpm5.org Name: Jeff Johnson
Root: /v/rpm/cvs Email: j...@rpm5.org
Module: rpm Date: 12-Apr-2016 00:00:58
Branch: rpm-5_4 Handle: 2016041122005200
Modified files: (Branch: rpm-5_4)
rpm/rpmdb header.c
Log:
- header: deal with tag padding, detect STRING_ARRAY
overruns/underruns.
Summary:
Revision Changes Path
1.198.2.23 +16 -10 rpm/rpmdb/header.c
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: rpm/rpmdb/header.c
============================================================================
$ cvs diff -u -r1.198.2.22 -r1.198.2.23 header.c
--- rpm/rpmdb/header.c 11 Apr 2016 09:18:28 -0000 1.198.2.22
+++ rpm/rpmdb/header.c 11 Apr 2016 22:00:52 -0000 1.198.2.23
@@ -311,7 +311,7 @@
break;
/* These are like RPM_STRING_TYPE, except they're *always* an array */
/* Compute sum of length of all strings, including nul terminators */
- case RPM_I18NSTRING_TYPE:
+ case RPM_I18NSTRING_TYPE: /* XXX treat as raw string array. */
case RPM_STRING_ARRAY_TYPE:
if (onDisk) {
while (count--) {
@@ -418,8 +418,9 @@
nb = he->c * sizeof(*he->p.ui64p);
break;
#if !defined(SUPPORT_I18NSTRING_TYPE)
- case RPM_I18NSTRING_TYPE:
+ case RPM_I18NSTRING_TYPE: /* XXX already done? */
he->t = RPM_STRING_TYPE;
+ he->c = 1;
/*@fallthrough@*/
#endif
case RPM_STRING_TYPE:
@@ -1350,6 +1351,7 @@
*/
static int copyEntry(const indexEntry entry, HE_t he, int minMem)
{
+ rpmTagType type = entry->info.type;
rpmTagCount count = entry->info.count;
int rc = 1; /* XXX 1 on success. */
@@ -1397,7 +1399,8 @@
break;
#if !defined(SUPPORT_I18NSTRING_TYPE)
case RPM_I18NSTRING_TYPE:
- he->t = RPM_STRING_TYPE;
+ type = RPM_STRING_TYPE;
+ count = 1;
he->p.str = (char *) entry->data;
break;
#endif
@@ -1426,21 +1429,27 @@
memcpy(t, entry->data, entry->length);
t[entry->length-1] = '\0'; /* XXX ensure NUL terminated */
}
- te = t + entry->length;
+ te = t + entry->length; /* XXX entry->length +padding */
for (i = 0; i < (unsigned) count; i++) {
argv[i] = t;
t = strchr(t, 0);
t++;
}
- if (t != te) /* XXX ensure full copy */
+ if (t > te) {
+fprintf(stderr, "*** %s: STRING_ARRAY overrun\n", __FUNCTION__, rc, t, te);
+ rc = 0;
+ } else
+ if ((te-t) >= 8) { /* XXX entry->length +padding */
+fprintf(stderr, "*** %s: STRING_ARRAY underrun\n", __FUNCTION__, rc, t, te);
rc = 0;
+ }
} break;
default:
he->p.ptr = entry->data;
break;
}
- he->t = entry->info.type;
+ he->t = type;
he->c = count;
return rc;
}
@@ -1613,7 +1622,6 @@
}
/*@fallthrough@*/
#endif
- case RPM_STRING_TYPE:
default:
rc = copyEntry(entry, he, minMem);
break;
@@ -1636,9 +1644,7 @@
int rc = 0; /* assume success */
switch (he->t) {
-#if defined(SUPPORT_I18NSTRING_TYPE) /* XXX used while reloading? */
- case RPM_I18NSTRING_TYPE:
-#endif
+ case RPM_I18NSTRING_TYPE: /* XXX used while reloading? */
case RPM_STRING_ARRAY_TYPE:
{ const char ** av = he->p.argv;
rpmTagCount cnt = he->c;
@@ .
______________________________________________________________________
RPM Package Manager http://rpm5.org
CVS Sources Repository rpm-cvs@rpm5.org
