[Rpm-maint] [rpm-software-management/rpm] rpmkeys out of bounds heap read in pgpPrtSubType, rpmpgp.c line 444 (#148)

Hanno Böck notifications at github.com
Tue Feb 7 10:55:16 UTC 2017 

Just for completeness: Here's a different file triggering an out of bounds a few lines earlier. It seems it is fixed by the same commit (sidenote: I think it'd be a good idea to have regression tests with all the fuzzed files that triggered bugs).

[rpmkeys-oob-heap-pgpPrtSubType-rpmpgp-427.zip](https://github.com/rpm-software-management/rpm/files/757334/rpmkeys-oob-heap-pgpPrtSubType-rpmpgp-427.zip)

asan message (from a 4.13.0 compile):
```
==27208==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000019bd at pc 0x000000677a6a bp 0x7ffe5597dc70 sp 0x7ffe5597dc68
READ of size 4 at 0x6020000019bd thread T0
    #0 0x677a69 in pgpPrtSubType /f/rpm/rpm-4.13.0/rpmio/rpmpgp.c:427:3
    #1 0x66a45d in pgpPrtSig /f/rpm/rpm-4.13.0/rpmio/rpmpgp.c:594:6
    #2 0x66a45d in pgpPrtPkt /f/rpm/rpm-4.13.0/rpmio/rpmpgp.c:819
    #3 0x66a45d in pgpPrtParams /f/rpm/rpm-4.13.0/rpmio/rpmpgp.c:978
    #4 0x592c67 in rpmSigInfoParse /f/rpm/rpm-4.13.0/lib/signature.c:90:6
    #5 0x52d789 in rpmpkgVerifySigs /f/rpm/rpm-4.13.0/lib/rpmchecksig.c:270:7
    #6 0x52f19a in rpmcliVerifySignatures /f/rpm/rpm-4.13.0/lib/rpmchecksig.c:388:13
    #7 0x50415d in main /f/rpm/rpm-4.13.0/rpmkeys.c:70:7
    #8 0x7f36453fb78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #9 0x41c4a8 in _start (/f/rpm/rpm-4.13.0/rpmkeys+0x41c4a8)

0x6020000019bd is located 0 bytes to the right of 13-byte region [0x6020000019b0,0x6020000019bd)
allocated by thread T0 here:
    #0 0x4cc608 in malloc (/f/rpm/rpm-4.13.0/rpmkeys+0x4cc608)
    #1 0x664d64 in rmalloc /f/rpm/rpm-4.13.0/rpmio/rpmmalloc.c:44:13


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/148#issuecomment-277964994
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20170207/c938dca1/attachment-0001.html>

More information about the Rpm-maint mailing list