
<p>The attached file will cause an out of bounds heap read access when passed to rpm (tested with rpm -i --test [input]). Found with american fuzzy lop and address sanitizer.</p>

<p><a href="https://github.com/rpm-software-management/rpm/files/729923/oob-heap-copyTdEntry.zip">oob-heap-copyTdEntry.zip</a></p>

<p>Stack trace from asan:</p>

<pre><code>==25558==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000012501 at pc 0x0000004b56e5 bp 0x7ffe1fa11e90 sp 0x7ffe1fa11640

READ of size 592 at 0x61a000012501 thread T0

    #0 0x4b56e4 in __asan_memcpy (/r/rpm/rpm+0x4b56e4)

    #1 0x5dd92e in copyTdEntry /f/rpm/rpm/lib/header.c:1074:23

    #2 0x5d82af in intGetTdEntry /f/rpm/rpm/lib/header.c:1294:7

    #3 0x5d71b1 in headerGet /f/rpm/rpm/lib/header.c:1317:10

    #4 0x6373a9 in rpmpkgRead /f/rpm/rpm/lib/package.c:365:6

    #5 0x6373a9 in rpmReadPackageFile /f/rpm/rpm/lib/package.c:432

    #6 0x579658 in tryReadHeader /f/rpm/rpm/lib/rpminstall.c:353:17

    #7 0x579658 in rpmInstall /f/rpm/rpm/lib/rpminstall.c:537

    #8 0x5057ae in main /f/rpm/rpm/rpmqv.c:295:12

    #9 0x7f9d10ee078f in __libc_start_main (/lib64/libc.so.6+0x2078f)

    #10 0x41c648 in _start (/r/rpm/rpm+0x41c648)


0x61a000012501 is located 0 bytes to the right of 1153-byte region [0x61a000012080,0x61a000012501)

allocated by thread T0 here:

    #0 0x4cc7a8 in malloc (/r/rpm/rpm+0x4cc7a8)

    #1 0x674ff4 in rmalloc /f/rpm/rpm/rpmio/rpmmalloc.c:44:13

    #2 0x636804 in rpmpkgReadHeader /f/rpm/rpm/lib/package.c:262:9

    #3 0x6371da in rpmpkgRead /f/rpm/rpm/lib/package.c:340:10

    #4 0x6371da in rpmReadPackageFile /f/rpm/rpm/lib/package.c:432

    #5 0x579658 in tryReadHeader /f/rpm/rpm/lib/rpminstall.c:353:17

    #6 0x579658 in rpmInstall /f/rpm/rpm/lib/rpminstall.c:537

    #7 0x5057ae in main /f/rpm/rpm/rpmqv.c:295:12


SUMMARY: AddressSanitizer: heap-buffer-overflow (/r/rpm/rpm+0x4b56e4) in __asan_memcpy

</code></pre>


<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/rpm-software-management/rpm/issues/133">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ANb800nbSQK0bAkjzvfjWy4AqoWWMdxiks5rV1nwgaJpZM4LtiPt">mute the thread</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/ANb808tMkyTNXuDKe67axnp520ItOQXCks5rV1nwgaJpZM4LtiPt.gif" width="1" /></p>

<div itemscope itemtype="http://schema.org/EmailMessage">

<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">

  <link itemprop="url" href="https://github.com/rpm-software-management/rpm/issues/133"></link>

  <meta itemprop="name" content="View Issue"></meta>

</div>

<meta itemprop="description" content="View this Issue on GitHub"></meta>

</div>


<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/rpm-software-management/rpm","title":"rpm-software-management/rpm","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/rpm-software-management/rpm"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"heap out of bounds read in copyTdEntry() (#133)"}],"action":{"name":"View Issue","url":"https://github.com/rpm-software-management/rpm/issues/133"}}}</script>