[Rpm-maint] [rpm-software-management/rpm] heap out of bounds read in copyTdEntry() (#133)

Wed, 25 Jan 2017 06:20:19 -0800 

The attached file will cause an out of bounds heap read access when passed to 
rpm (tested with rpm -i --test [input]). Found with american fuzzy lop and 
address sanitizer.

[oob-heap-copyTdEntry.zip](https://github.com/rpm-software-management/rpm/files/729923/oob-heap-copyTdEntry.zip)

Stack trace from asan:
```
==25558==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x61a000012501 at pc 0x0000004b56e5 bp 0x7ffe1fa11e90 sp 0x7ffe1fa11640
READ of size 592 at 0x61a000012501 thread T0
    #0 0x4b56e4 in __asan_memcpy (/r/rpm/rpm+0x4b56e4)
    #1 0x5dd92e in copyTdEntry /f/rpm/rpm/lib/header.c:1074:23
    #2 0x5d82af in intGetTdEntry /f/rpm/rpm/lib/header.c:1294:7
    #3 0x5d71b1 in headerGet /f/rpm/rpm/lib/header.c:1317:10
    #4 0x6373a9 in rpmpkgRead /f/rpm/rpm/lib/package.c:365:6
    #5 0x6373a9 in rpmReadPackageFile /f/rpm/rpm/lib/package.c:432
    #6 0x579658 in tryReadHeader /f/rpm/rpm/lib/rpminstall.c:353:17
    #7 0x579658 in rpmInstall /f/rpm/rpm/lib/rpminstall.c:537
    #8 0x5057ae in main /f/rpm/rpm/rpmqv.c:295:12
    #9 0x7f9d10ee078f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #10 0x41c648 in _start (/r/rpm/rpm+0x41c648)

0x61a000012501 is located 0 bytes to the right of 1153-byte region 
[0x61a000012080,0x61a000012501)
allocated by thread T0 here:
    #0 0x4cc7a8 in malloc (/r/rpm/rpm+0x4cc7a8)
    #1 0x674ff4 in rmalloc /f/rpm/rpm/rpmio/rpmmalloc.c:44:13
    #2 0x636804 in rpmpkgReadHeader /f/rpm/rpm/lib/package.c:262:9
    #3 0x6371da in rpmpkgRead /f/rpm/rpm/lib/package.c:340:10
    #4 0x6371da in rpmReadPackageFile /f/rpm/rpm/lib/package.c:432
    #5 0x579658 in tryReadHeader /f/rpm/rpm/lib/rpminstall.c:353:17
    #6 0x579658 in rpmInstall /f/rpm/rpm/lib/rpminstall.c:537
    #7 0x5057ae in main /f/rpm/rpm/rpmqv.c:295:12

SUMMARY: AddressSanitizer: heap-buffer-overflow (/r/rpm/rpm+0x4b56e4) in 
__asan_memcpy


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/133
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Reply via email to