Just for completeness: Here's a different file triggering an out of bounds a
few lines earlier. It seems it is fixed by the same commit (sidenote: I think
it'd be a good idea to have regression tests with all the fuzzed files that
triggered bugs).
[rpmkeys-oob-heap-pgpPrtSubType-rpmpgp-427.zip](https://github.com/rpm-software-management/rpm/files/757334/rpmkeys-oob-heap-pgpPrtSubType-rpmpgp-427.zip)
asan message (from a 4.13.0 compile):
```
==27208==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6020000019bd at pc 0x000000677a6a bp 0x7ffe5597dc70 sp 0x7ffe5597dc68
READ of size 4 at 0x6020000019bd thread T0
#0 0x677a69 in pgpPrtSubType /f/rpm/rpm-4.13.0/rpmio/rpmpgp.c:427:3
#1 0x66a45d in pgpPrtSig /f/rpm/rpm-4.13.0/rpmio/rpmpgp.c:594:6
#2 0x66a45d in pgpPrtPkt /f/rpm/rpm-4.13.0/rpmio/rpmpgp.c:819
#3 0x66a45d in pgpPrtParams /f/rpm/rpm-4.13.0/rpmio/rpmpgp.c:978
#4 0x592c67 in rpmSigInfoParse /f/rpm/rpm-4.13.0/lib/signature.c:90:6
#5 0x52d789 in rpmpkgVerifySigs /f/rpm/rpm-4.13.0/lib/rpmchecksig.c:270:7
#6 0x52f19a in rpmcliVerifySignatures
/f/rpm/rpm-4.13.0/lib/rpmchecksig.c:388:13
#7 0x50415d in main /f/rpm/rpm-4.13.0/rpmkeys.c:70:7
#8 0x7f36453fb78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
#9 0x41c4a8 in _start (/f/rpm/rpm-4.13.0/rpmkeys+0x41c4a8)
0x6020000019bd is located 0 bytes to the right of 13-byte region
[0x6020000019b0,0x6020000019bd)
allocated by thread T0 here:
#0 0x4cc608 in malloc (/f/rpm/rpm-4.13.0/rpmkeys+0x4cc608)
#1 0x664d64 in rmalloc /f/rpm/rpm-4.13.0/rpmio/rpmmalloc.c:44:13
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/148#issuecomment-277964994_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
