The attached file will cause an out of bounds memory read in rpm (tested with
rpm -i --test [input]).
[rpm-oob-heap-read-rstrlenhash-rpmstrPoolId.zip](https://github.com/rpm-software-management/rpm/files/736801/rpm-oob-heap-read-rstrlenhash-rpmstrPoolId.zip)
Found with american fuzzy lop and address sanitizer.
Here's a stack trace from asan:
```
==29668==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000151b at pc 0x0000006a0e05 bp 0x7ffe13842070 sp 0x7ffe13842068
READ of size 1 at 0x60200000151b thread T0
#0 0x6a0e04 in rstrlenhash /f/rpm/rpm/rpmio/rpmstrpool.c:52:12
#1 0x6a0e04 in rpmstrPoolId /f/rpm/rpm/rpmio/rpmstrpool.c:390
#2 0x536103 in singleDS /f/rpm/rpm/lib/rpmds.c:460:15
#3 0x536103 in rpmdsSinglePool /f/rpm/rpm/lib/rpmds.c:486
#4 0x512720 in findPos /f/rpm/rpm/lib/depends.c:328:20
#5 0x512720 in addPackage /f/rpm/rpm/lib/depends.c:446
#6 0x5122e9 in rpmtsAddInstallElement /f/rpm/rpm/lib/depends.c:493:12
#7 0x57a1d4 in rpmInstall /f/rpm/rpm/lib/rpminstall.c:584:11
#8 0x5057ae in main /f/rpm/rpm/rpmqv.c:295:12
#9 0x7f09b5fdc78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
#10 0x41c648 in _start (/r/rpm/rpm+0x41c648)
0x60200000151b is located 5 bytes to the right of 6-byte region
[0x602000001510,0x602000001516)
allocated by thread T0 here:
#0 0x4cc7a8 in malloc (/r/rpm/rpm+0x4cc7a8)
#1 0x67546e in rstrdup /f/rpm/rpm/rpmio/rpmmalloc.c:74:29
#2 0x62018f in rpmHeaderFormatCall /f/rpm/rpm/lib/formats.c:541:8
#3 0x612486 in rpmtdFormat /f/rpm/rpm/lib/rpmtd.c:261:8
#4 0x58f207 in addTE /f/rpm/rpm/lib/rpmte.c:145:15
#5 0x58f207 in rpmteNew /f/rpm/rpm/lib/rpmte.c:241
#6 0x512642 in addPackage /f/rpm/rpm/lib/depends.c:438:9
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/135_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
