<p>I'm attaching another file, this creates a use after free, but it's in the same line of code, so I assume it's a variation of the same bug.<br>
<a href="https://github.com/rpm-software-management/rpm/files/736803/rpm-useafterfree-rstrlenhash-rpmstrPoolId.zip">rpm-useafterfree-rstrlenhash-rpmstrPoolId.zip</a></p>
<pre><code>==26753==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000001531 at pc 0x0000006a0e05 bp 0x7ffc05f97c30 sp 0x7ffc05f97c28
READ of size 1 at 0x602000001531 thread T0
    #0 0x6a0e04 in rstrlenhash /f/rpm/rpm/rpmio/rpmstrpool.c:52:12
    #1 0x6a0e04 in rpmstrPoolId /f/rpm/rpm/rpmio/rpmstrpool.c:390
    #2 0x536103 in singleDS /f/rpm/rpm/lib/rpmds.c:460:15
    #3 0x536103 in rpmdsSinglePool /f/rpm/rpm/lib/rpmds.c:486
    #4 0x512720 in findPos /f/rpm/rpm/lib/depends.c:328:20
    #5 0x512720 in addPackage /f/rpm/rpm/lib/depends.c:446
    #6 0x5122e9 in rpmtsAddInstallElement /f/rpm/rpm/lib/depends.c:493:12
    #7 0x57a1d4 in rpmInstall /f/rpm/rpm/lib/rpminstall.c:584:11
    #8 0x5057ae in main /f/rpm/rpm/rpmqv.c:295:12
    #9 0x7f4f83a7678f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #10 0x41c648 in _start (/r/rpm/rpm+0x41c648)

0x602000001531 is located 1 bytes inside of 6-byte region [0x602000001530,0x602000001536)
freed by thread T0 here:
    #0 0x4cc5f0 in __interceptor_cfree.localalias.1 (/r/rpm/rpm+0x4cc5f0)
    #1 0x60ff7f in rpmtdFreeData /f/rpm/rpm/lib/rpmtd.c:48:2
    #2 0x58f207 in addTE /f/rpm/rpm/lib/rpmte.c:145:15
    #3 0x58f207 in rpmteNew /f/rpm/rpm/lib/rpmte.c:241
    #4 0x512642 in addPackage /f/rpm/rpm/lib/depends.c:438:9

previously allocated by thread T0 here:
    #0 0x4ccbc0 in realloc (/r/rpm/rpm+0x4ccbc0)
    #1 0x6752ea in rrealloc /f/rpm/rpm/rpmio/rpmmalloc.c:65:13
    #2 0x629bb4 in getNEVRA /f/rpm/rpm/lib/tagexts.c:772:11
    #3 0x625026 in nevrTag /f/rpm/rpm/lib/tagexts.c:805:12
</code></pre>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/rpm-software-management/rpm/issues/135#issuecomment-275837735">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ANb80wpvH01-GJJww4VaRnxeupCSYoXoks5rWwqSgaJpZM4LwdnY">mute the thread</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/ANb802Hh1Ph9HjIwunaFpAr1ZnsUBS3rks5rWwqSgaJpZM4LwdnY.gif" width="1" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
  <link itemprop="url" href="https://github.com/rpm-software-management/rpm/issues/135#issuecomment-275837735"></link>
  <meta itemprop="name" content="View Issue"></meta>
</div>
<meta itemprop="description" content="View this Issue on GitHub"></meta>
</div>

<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/rpm-software-management/rpm","title":"rpm-software-management/rpm","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/rpm-software-management/rpm"}},"updates":{"snippets":[{"icon":"PERSON","message":"@hannob in #135: I'm attaching another file, this creates a use after free, but it's in the same line of code, so I assume it's a variation of the same bug.\r\n[rpm-useafterfree-rstrlenhash-rpmstrPoolId.zip](https://github.com/rpm-software-management/rpm/files/736803/rpm-useafterfree-rstrlenhash-rpmstrPoolId.zip)\r\n\r\n```\r\n==26753==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000001531 at pc 0x0000006a0e05 bp 0x7ffc05f97c30 sp 0x7ffc05f97c28\r\nREAD of size 1 at 0x602000001531 thread T0\r\n    #0 0x6a0e04 in rstrlenhash /f/rpm/rpm/rpmio/rpmstrpool.c:52:12\r\n    #1 0x6a0e04 in rpmstrPoolId /f/rpm/rpm/rpmio/rpmstrpool.c:390\r\n    #2 0x536103 in singleDS /f/rpm/rpm/lib/rpmds.c:460:15\r\n    #3 0x536103 in rpmdsSinglePool /f/rpm/rpm/lib/rpmds.c:486\r\n    #4 0x512720 in findPos /f/rpm/rpm/lib/depends.c:328:20\r\n    #5 0x512720 in addPackage /f/rpm/rpm/lib/depends.c:446\r\n    #6 0x5122e9 in rpmtsAddInstallElement /f/rpm/rpm/lib/depends.c:493:12\r\n    #7 0x57a1d4 in rpmInstall /f/rpm/rpm/lib/rpminstall.c:584:11\r\n    #8 0x5057ae in main /f/rpm/rpm/rpmqv.c:295:12\r\n    #9 0x7f4f83a7678f in __libc_start_main (/lib64/libc.so.6+0x2078f)\r\n    #10 0x41c648 in _start (/r/rpm/rpm+0x41c648)\r\n\r\n0x602000001531 is located 1 bytes inside of 6-byte region [0x602000001530,0x602000001536)\r\nfreed by thread T0 here:\r\n    #0 0x4cc5f0 in __interceptor_cfree.localalias.1 (/r/rpm/rpm+0x4cc5f0)\r\n    #1 0x60ff7f in rpmtdFreeData /f/rpm/rpm/lib/rpmtd.c:48:2\r\n    #2 0x58f207 in addTE /f/rpm/rpm/lib/rpmte.c:145:15\r\n    #3 0x58f207 in rpmteNew /f/rpm/rpm/lib/rpmte.c:241\r\n    #4 0x512642 in addPackage /f/rpm/rpm/lib/depends.c:438:9\r\n\r\npreviously allocated by thread T0 here:\r\n    #0 0x4ccbc0 in realloc (/r/rpm/rpm+0x4ccbc0)\r\n    #1 0x6752ea in rrealloc /f/rpm/rpm/rpmio/rpmmalloc.c:65:13\r\n    #2 0x629bb4 in getNEVRA /f/rpm/rpm/lib/tagexts.c:772:11\r\n    #3 0x625026 in nevrTag /f/rpm/rpm/lib/tagexts.c:805:12\r\n"}],"action":{"name":"View Issue","url":"https://github.com/rpm-software-management/rpm/issues/135#issuecomment-275837735"}}}</script>