[Rpm-maint] [rpm-software-management/rpm] rpmkeys out of bounds read in pgpPrtSig, rpmpgp.c:633 (#151)

[Hanno Böck]

The attached file causes an out of bounds read in pgpPrtSig. This is a different bug from #149, although it's in the same function.
[oob-heap-pgpPrtSig-rpmpgp-633.zip](https://github.com/rpm-software-management/rpm/files/762089/oob-heap-pgpPrtSig-rpmpgp-633.zip)

Here's the asan output:
```
==10690==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001a9f at pc 0x00000066c892 bp 0x7ffda160f2f0 sp 0x7ffda160f2e8
READ of size 2 at 0x602000001a9f thread T0
    #0 0x66c891 in pgpPrtSig /f/rpm/rpm/rpmio/rpmpgp.c:633:6
    #1 0x66c891 in pgpPrtPkt /f/rpm/rpm/rpmio/rpmpgp.c:842
    #2 0x66c891 in pgpPrtParams /f/rpm/rpm/rpmio/rpmpgp.c:1003
    #3 0x595487 in rpmSigInfoParse /f/rpm/rpm/lib/signature.c:104:6
    #4 0x52d908 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:263:7
    #5 0x52f3ea in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:381:13
    #6 0x50420d in main /f/rpm/rpm/rpmkeys.c:74:7
    #7 0x7fd009f7878f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #8 0x41c558 in _start (/r/rpm/rpmkeys+0x41c558)

0x602000001a9f is located 0 bytes to the right of 15-byte region [0x602000001a90,0x602000001a9f)
allocated by thread T0 here:
    #0 0x4cc6b8 in malloc (/r/rpm/rpmkeys+0x4cc6b8)
    #1 0x664624 in rmalloc /f/rpm/rpm/rpmio/rpmmalloc.c:44:13
    #2 0x5d0677 in copyTdEntry /f/rpm/rpm/lib/header.c:1096:12
    #3 0x5cf8e4 in headerNext /f/rpm/rpm/lib/header.c:1712:7
    #4 0x52d310 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:262:12
    #5 0x52f3ea in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:381:13
    #6 0x50420d in main /f/rpm/rpm/rpmkeys.c:74:7
    #7 0x7fd009f7878f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #8 0x41c558 in _start (/r/rpm/rpmkeys+0x41c558)


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/151
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20170208/589ebb7d/attachment.html>