[CVS] RPM: rpm-5_4: rpm/rpmdb/ header.c
RPM Package Manager, CVS Repository http://rpm5.org/cvs/ Server: rpm5.org Name: Jeff Johnson Root: /v/rpm/cvs Email: j...@rpm5.org Module: rpm Date: 19-Apr-2016 15:23:02 Branch: rpm-5_4 Handle: 2016041913230200 Modified files: (Branch: rpm-5_4) rpm/rpmdb header.c Log: - header: re-add trailer copy to avoid alignment issues. Summary: RevisionChanges Path 1.198.2.25 +9 -3 rpm/rpmdb/header.c patch -p0 <<'@@ .' Index: rpm/rpmdb/header.c $ cvs diff -u -r1.198.2.24 -r1.198.2.25 header.c --- rpm/rpmdb/header.c15 Apr 2016 18:23:56 - 1.198.2.24 +++ rpm/rpmdb/header.c19 Apr 2016 13:23:02 - 1.198.2.25 @@ -722,6 +722,7 @@ memcpy(pe+1, src, rdl); memcpy(te, src + rdl, rdlen); te += rdlen; + /* XXX FIXME: te should be aligned to next 16b boundary? */ pe->offset = (rpmint32_t) htonl(te - dataStart); stei[0] = (rpmuint32_t) pe->tag; @@ -738,6 +739,7 @@ memcpy(pe+1, src + sizeof(*pe), ((ril-1) * sizeof(*pe))); memcpy(te, src + (ril * sizeof(*pe)), rdlen+entry->info.count+drlen); te += rdlen; + /* XXX FIXME: te should be aligned to next 16b boundary? */ { entryInfo se = (entryInfo)src; rpmint32_t off = (rpmint32_t) ntohl(se->offset); @@ -785,6 +787,7 @@ /* Insure that there are no memcpy underruns/overruns. */ if (((unsigned char *)pe) != dataStart) goto errxit; +/* XXX FIXME: update len when te is aligned? */ if unsigned char *)ei)+len) != te) goto errxit; @@ -995,8 +998,10 @@ if (off < 0) goto errxit; if (off) { - rpmuint32_t * stei = (rpmuint32_t *) (dataStart + off); size_t nb = REGION_TAG_COUNT; + /* XXX copy to fix alignment problems */ +rpmuint32_t * stei = (rpmuint32_t *) + memcpy(alloca(nb), dataStart + off, nb); if ((off + nb) > dl) goto errxit; rdl = (rpmuint32_t)-ntohl(stei[2]); /* negative offset */ @@ -1440,9 +1445,10 @@ t++; } if (t > te) { + count = 1; rpmlog(RPMLOG_ERR, - _("STRING_ARRAY overrun: tag(%u) entry %p[%u] count reset %u -> %u\n"), - he->tag, entry->data, (unsigned)entry->length, + _("STRING_ARRAY overrun: tag(%u) entry %p[%u] rdlen %u count reset %u -> %u\n"), + he->tag, entry->data, (unsigned)entry->length, (unsigned)entry->rdlen, entry->info.count, (unsigned)count); } else if ((te-t) >= 8) { /* XXX entry->length +padding */ @@ . __ RPM Package Managerhttp://rpm5.org CVS Sources Repositoryrpm-cvs@rpm5.org
[CVS] RPM: rpm-5_4: rpm/rpmdb/ header.c
RPM Package Manager, CVS Repository http://rpm5.org/cvs/ Server: rpm5.org Name: Jeff Johnson Root: /v/rpm/cvs Email: j...@rpm5.org Module: rpm Date: 12-Apr-2016 00:00:58 Branch: rpm-5_4 Handle: 2016041122005200 Modified files: (Branch: rpm-5_4) rpm/rpmdb header.c Log: - header: deal with tag padding, detect STRING_ARRAY overruns/underruns. Summary: RevisionChanges Path 1.198.2.23 +16 -10 rpm/rpmdb/header.c patch -p0 <<'@@ .' Index: rpm/rpmdb/header.c $ cvs diff -u -r1.198.2.22 -r1.198.2.23 header.c --- rpm/rpmdb/header.c11 Apr 2016 09:18:28 - 1.198.2.22 +++ rpm/rpmdb/header.c11 Apr 2016 22:00:52 - 1.198.2.23 @@ -311,7 +311,7 @@ break; /* These are like RPM_STRING_TYPE, except they're *always* an array */ /* Compute sum of length of all strings, including nul terminators */ -case RPM_I18NSTRING_TYPE: +case RPM_I18NSTRING_TYPE:/* XXX treat as raw string array. */ case RPM_STRING_ARRAY_TYPE: if (onDisk) { while (count--) { @@ -418,8 +418,9 @@ nb = he->c * sizeof(*he->p.ui64p); break; #if !defined(SUPPORT_I18NSTRING_TYPE) -case RPM_I18NSTRING_TYPE: +case RPM_I18NSTRING_TYPE:/* XXX already done? */ he->t = RPM_STRING_TYPE; + he->c = 1; /*@fallthrough@*/ #endif case RPM_STRING_TYPE: @@ -1350,6 +1351,7 @@ */ static int copyEntry(const indexEntry entry, HE_t he, int minMem) { +rpmTagType type = entry->info.type; rpmTagCount count = entry->info.count; int rc = 1; /* XXX 1 on success. */ @@ -1397,7 +1399,8 @@ break; #if !defined(SUPPORT_I18NSTRING_TYPE) case RPM_I18NSTRING_TYPE: - he->t = RPM_STRING_TYPE; + type = RPM_STRING_TYPE; + count = 1; he->p.str = (char *) entry->data; break; #endif @@ -1426,21 +1429,27 @@ memcpy(t, entry->data, entry->length); t[entry->length-1] = '\0'; /* XXX ensure NUL terminated */ } - te = t + entry->length; + te = t + entry->length; /* XXX entry->length +padding */ for (i = 0; i < (unsigned) count; i++) { argv[i] = t; t = strchr(t, 0); t++; } - if (t != te)/* XXX ensure full copy */ + if (t > te) { +fprintf(stderr, "*** %s: STRING_ARRAY overrun\n", __FUNCTION__, rc, t, te); + rc = 0; + } else + if ((te-t) >= 8) { /* XXX entry->length +padding */ +fprintf(stderr, "*** %s: STRING_ARRAY underrun\n", __FUNCTION__, rc, t, te); rc = 0; + } }break; default: he->p.ptr = entry->data; break; } -he->t = entry->info.type; +he->t = type; he->c = count; return rc; } @@ -1613,7 +1622,6 @@ } /*@fallthrough@*/ #endif -case RPM_STRING_TYPE: default: rc = copyEntry(entry, he, minMem); break; @@ -1636,9 +1644,7 @@ int rc = 0; /* assume success */ switch (he->t) { -#if defined(SUPPORT_I18NSTRING_TYPE) /* XXX used while reloading? */ -case RPM_I18NSTRING_TYPE: -#endif +case RPM_I18NSTRING_TYPE:/* XXX used while reloading? */ case RPM_STRING_ARRAY_TYPE: {const char ** av = he->p.argv; rpmTagCount cnt = he->c; @@ . __ RPM Package Managerhttp://rpm5.org CVS Sources Repositoryrpm-cvs@rpm5.org
[CVS] RPM: rpm-5_4: rpm/rpmdb/ header.c
RPM Package Manager, CVS Repository http://rpm5.org/cvs/ Server: rpm5.org Name: Jeff Johnson Root: /v/rpm/cvs Email: j...@rpm5.org Module: rpm Date: 11-Apr-2016 11:18:28 Branch: rpm-5_4 Handle: 2016041109182800 Modified files: (Branch: rpm-5_4) rpm/rpmdb header.c Log: - header: fix: check that STRING_ARRAY has the right number of NUL's in blob. - header: fix: ensure STRING_ARRAY data is NUL terminated. Summary: RevisionChanges Path 1.198.2.22 +5 -0 rpm/rpmdb/header.c patch -p0 <<'@@ .' Index: rpm/rpmdb/header.c $ cvs diff -u -r1.198.2.21 -r1.198.2.22 header.c --- rpm/rpmdb/header.c10 Apr 2016 22:03:54 - 1.198.2.21 +++ rpm/rpmdb/header.c11 Apr 2016 09:18:28 - 1.198.2.22 @@ -1414,6 +1414,7 @@ {const char ** argv; size_t nb = count * sizeof(*argv); char * t; + char * te; unsigned i; if (minMem) { @@ -1423,12 +1424,16 @@ he->p.argv = argv = (const char **) DRD_xmalloc(nb + entry->length); t = (char *) [count]; memcpy(t, entry->data, entry->length); + t[entry->length-1] = '\0'; /* XXX ensure NUL terminated */ } + te = t + entry->length; for (i = 0; i < (unsigned) count; i++) { argv[i] = t; t = strchr(t, 0); t++; } + if (t != te)/* XXX ensure full copy */ + rc = 0; }break; default: @@ . __ RPM Package Managerhttp://rpm5.org CVS Sources Repositoryrpm-cvs@rpm5.org
[CVS] RPM: rpm-5_4: rpm/rpmdb/ header.c
RPM Package Manager, CVS Repository http://rpm5.org/cvs/ Server: rpm5.org Name: Jeff Johnson Root: /v/rpm/cvs Email: j...@rpm5.org Module: rpm Date: 04-Apr-2016 20:38:59 Branch: rpm-5_4 Handle: 2016040418385800 Modified files: (Branch: rpm-5_4) rpm/rpmdb header.c Log: - remove debugging printf. Summary: RevisionChanges Path 1.198.2.20 +0 -1 rpm/rpmdb/header.c patch -p0 <<'@@ .' Index: rpm/rpmdb/header.c $ cvs diff -u -r1.198.2.19 -r1.198.2.20 header.c --- rpm/rpmdb/header.c4 Apr 2016 04:16:29 - 1.198.2.19 +++ rpm/rpmdb/header.c4 Apr 2016 18:38:58 - 1.198.2.20 @@ -1536,7 +1536,6 @@ } else { he->p.argv = argv = (const char **) DRD_xmalloc(nb + entry->length); t = (char *) [count]; -fprintf(stderr, "*** %s: memcpy(%p, %p, %u)\n", __FUNCTION__, t, entry->data, (unsigned)entry->length); memcpy(t, entry->data, entry->length); } /*@=mods@*/ @@ . __ RPM Package Managerhttp://rpm5.org CVS Sources Repositoryrpm-cvs@rpm5.org
[CVS] RPM: rpm-5_4: rpm/rpmdb/ header.c
RPM Package Manager, CVS Repository http://rpm5.org/cvs/ Server: rpm5.org Name: Jeff Johnson Root: /v/rpm/cvs Email: j...@rpm5.org Module: rpm Date: 04-Apr-2016 06:16:29 Branch: rpm-5_4 Handle: 2016040404162900 Modified files: (Branch: rpm-5_4) rpm/rpmdb header.c Log: - header: remove the damaged tags assert failure. Summary: RevisionChanges Path 1.198.2.19 +221 -24rpm/rpmdb/header.c patch -p0 <<'@@ .' Index: rpm/rpmdb/header.c $ cvs diff -u -r1.198.2.18 -r1.198.2.19 header.c --- rpm/rpmdb/header.c21 Mar 2016 22:08:51 - 1.198.2.18 +++ rpm/rpmdb/header.c4 Apr 2016 04:16:29 - 1.198.2.19 @@ -32,13 +32,15 @@ #endif /* __cplusplus */ #if defined(SUPPORT_IMPLICIT_TAG_DATA_TYPES) -extern void tagTypeValidate(HE_t he) +extern void tagTypeValidate(HE_t he, unsigned int flags) /*@*/; #endif /*@unchecked@*/ int _hdr_debug = 0; +static int jbj; + /** \ingroup header */ /*@-type@*/ @@ -337,10 +339,6 @@ size_t length = 0; switch (type) { -#if !defined(SUPPORT_I18NSTRING_TYPE) -case RPM_I18NSTRING_TYPE: -assert(0); -#endif case RPM_STRING_TYPE: if (count != 1) return 0; @@ -353,9 +351,7 @@ break; /* These are like RPM_STRING_TYPE, except they're *always* an array */ /* Compute sum of length of all strings, including nul terminators */ -#if defined(SUPPORT_I18NSTRING_TYPE) case RPM_I18NSTRING_TYPE: -#endif case RPM_STRING_ARRAY_TYPE: if (onDisk) { while (count--) { @@ -1082,9 +1078,10 @@ rpmuint32_t * stei = (rpmuint32_t *) memcpy(alloca(nb), dataStart + off, nb); rdl = (rpmuint32_t)-ntohl(stei[2]); /* negative offset */ -assert((rpmint32_t)rdl >= 0);/* XXX insurance */ + if (hdrchkData(rdl)) + goto errxit; ril = (rpmuint32_t)(rdl/sizeof(*pe)); - if (hdrchkTags(ril) || hdrchkData(rdl)) + if (hdrchkTags(ril)) goto errxit; } else { ril = il; @@ -1425,7 +1422,8 @@ fprintf(stderr, "==> munmap(%p[%u]) error(%d): %s\n", nuh, (unsigned)pvlen, errno, strerror(errno)); } -} else { +} else +{ nuh = memcpy(xmalloc(pvlen), uh, pvlen); if ((nh = headerLoad(nuh)) != NULL) nh->flags |= HEADERFLAG_ALLOCATED; @@ -1538,6 +1536,7 @@ } else { he->p.argv = argv = (const char **) DRD_xmalloc(nb + entry->length); t = (char *) [count]; +fprintf(stderr, "*** %s: memcpy(%p, %p, %u)\n", __FUNCTION__, t, entry->data, (unsigned)entry->length); memcpy(t, entry->data, entry->length); } /*@=mods@*/ @@ -1695,6 +1694,21 @@ } #endif +static void +dumpEntry(const char *msg, indexEntry entry) +{ +if (msg) + fprintf(stderr, " %s %p\n", msg, entry); +if (entry) +fprintf(stderr, "\tentry tag %d type %d offset %d count %d data %p[%u]\n", + entry->info.tag, + entry->info.type, + entry->info.offset, + entry->info.count, + entry->data, + (unsigned)entry->length); +} + /** * Retrieve tag data from header. * @param h header @@ -1702,13 +1716,15 @@ * @param flags headerGet flags * @return 1 on success, 0 on not found */ -static int intGetEntry(Header h, HE_t he, int flags) +static int intGetEntry(Header h, HE_t he, unsigned int flags) /*@modifies he @*/ { int minMem = 0; indexEntry entry; int rc; +if (jbj) +fprintf(stderr, "--> %s(%p,%p, 0x%x) tag %d\n", __FUNCTION__, h, he, flags, he ->tag); /* First find the tag */ /*@-mods@*/ /*@ FIX: h modified by sort. */ entry = findEntry(h, he->tag, (rpmTagType)0); @@ -1720,6 +1736,90 @@ return 0; } +/* XXX sanity check on count field */ +if (entry->info.count > entry->length) { + size_t count = entry->info.count; + entry->info.count = entry->length; +fprintf(stderr, "*** %s: OVERRIDE\ttag %d type %d count %u -> %u\n", __FUNCTION__, he->tag, entry->info.type, count, (unsigned)entry->info.count); +} + +/* XXX Hardwire signature header tag type/count. */ +if (flags & HEADERGET_SIGHEADER || he->tag == RPMTAG_PUBKEYS) { +if (jbj) +dumpEntry("before",
[CVS] RPM: rpm-5_4: rpm/rpmdb/ header.c
RPM Package Manager, CVS Repository http://rpm5.org/cvs/ Server: rpm5.org Name: Jeff Johnson Root: /v/rpm/cvs Email: j...@rpm5.org Module: rpm Date: 15-May-2014 01:05:27 Branch: rpm-5_4 Handle: 2014051423051400 Modified files: (Branch: rpm-5_4) rpm/rpmdb header.c Log: - coverity #1214080 Summary: RevisionChanges Path 1.198.2.10 +1 -0 rpm/rpmdb/header.c patch -p0 '@@ .' Index: rpm/rpmdb/header.c $ cvs diff -u -r1.198.2.9 -r1.198.2.10 header.c --- rpm/rpmdb/header.c26 Aug 2013 21:35:57 - 1.198.2.9 +++ rpm/rpmdb/header.c14 May 2014 23:05:14 - 1.198.2.10 @@ -1398,6 +1398,7 @@ static const int fdno = -1; static const off_t off = 0; nuh = mmap(NULL, pvlen, prot, flags, fdno, off); +assert(nuh != NULL nuh != (void *)-1);/* coverity #1214080 */ if (nuh == NULL || nuh == (void *)-1) fprintf(stderr, == mmap(%p[%u], 0x%x, 0x%x, %d, 0x%x) error(%d): %s\n, @@ . __ RPM Package Managerhttp://rpm5.org CVS Sources Repositoryrpm-cvs@rpm5.org
[CVS] RPM: rpm-5_4: rpm/rpmdb/ header.c
RPM Package Manager, CVS Repository http://rpm5.org/cvs/ Server: rpm5.org Name: Jeff Johnson Root: /v/rpm/cvs Email: j...@rpm5.org Module: rpm Date: 26-Aug-2013 23:35:58 Branch: rpm-5_4 Handle: 2013082621355700 Modified files: (Branch: rpm-5_4) rpm/rpmdb header.c Log: - fix: fix UINT64 assertion. Summary: RevisionChanges Path 1.198.2.9 +1 -1 rpm/rpmdb/header.c patch -p0 '@@ .' Index: rpm/rpmdb/header.c $ cvs diff -u -r1.198.2.8 -r1.198.2.9 header.c --- rpm/rpmdb/header.c28 Jun 2013 16:57:10 - 1.198.2.8 +++ rpm/rpmdb/header.c26 Aug 2013 21:35:57 - 1.198.2.9 @@ -398,7 +398,7 @@ switch (he-t) { case RPM_UINT64_TYPE: {rpmuint32_t * tt = (rpmuint32_t *)t; -assert(nb == (he-c * sizeof(*tt))); +assert(nb == (2 * he-c * sizeof(*tt))); for (i = 0; i he-c; i++) { rpmuint32_t j = 2 * i; rpmuint32_t b = (rpmuint32_t) htonl(he-p.ui32p[j]); @@ . __ RPM Package Managerhttp://rpm5.org CVS Sources Repositoryrpm-cvs@rpm5.org
[CVS] RPM: rpm-5_4: rpm/rpmdb/ header.c
RPM Package Manager, CVS Repository http://rpm5.org/cvs/ Server: rpm5.org Name: Jeff Johnson Root: /v/rpm/cvs Email: j...@rpm5.org Module: rpm Date: 28-Jun-2013 18:57:10 Branch: rpm-5_4 Handle: 2013062816571000 Modified files: (Branch: rpm-5_4) rpm/rpmdb header.c Log: - coverity #1035890 Summary: RevisionChanges Path 1.198.2.8 +9 -2 rpm/rpmdb/header.c patch -p0 '@@ .' Index: rpm/rpmdb/header.c $ cvs diff -u -r1.198.2.7 -r1.198.2.8 header.c --- rpm/rpmdb/header.c4 Jun 2012 15:10:18 - 1.198.2.7 +++ rpm/rpmdb/header.c28 Jun 2013 16:57:10 - 1.198.2.8 @@ -1330,11 +1330,11 @@ h = NULL ; /*@=onlytrans@*/ if (uh == NULL) - return NULL; + goto errxit; nh = headerLoad(uh); if (nh == NULL) { uh = _free(uh); - return NULL; + goto errxit; } nh-flags = ~(HEADERFLAG_MAPPED|HEADERFLAG_RDONLY); /* XXX unnecessary */ nh-flags |= HEADERFLAG_ALLOCATED; @@ -1366,6 +1366,13 @@ if (_hdr_debug) fprintf(stderr, -- h %p %s: blob %p[%u] flags 0x%x\n, nh, __FUNCTION__, nh-blob, (unsigned)nh-bloblen, nh-flags); return nh; + +errxit: +digest = _free(digest); +baseurl = _free(baseurl); +parent = _free(parent); +origin = _free(origin); +return NULL; } static Header headerMap(const void * uh, int map) @@ . __ RPM Package Managerhttp://rpm5.org CVS Sources Repositoryrpm-cvs@rpm5.org