<p>The attached file causes an out of bounds read in pgpPrtSig. This is a different bug from <a href="https://github.com/rpm-software-management/rpm/issues/149" class="issue-link js-issue-link" data-url="https://github.com/rpm-software-management/rpm/issues/149" data-id="205854164" data-error-text="Failed to load issue title" data-permission-text="Issue title is private">#149</a>, although it's in the same function.<br>
<a href="https://github.com/rpm-software-management/rpm/files/762089/oob-heap-pgpPrtSig-rpmpgp-633.zip">oob-heap-pgpPrtSig-rpmpgp-633.zip</a></p>
<p>Here's the asan output:</p>
<pre><code>==10690==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001a9f at pc 0x00000066c892 bp 0x7ffda160f2f0 sp 0x7ffda160f2e8
READ of size 2 at 0x602000001a9f thread T0
    #0 0x66c891 in pgpPrtSig /f/rpm/rpm/rpmio/rpmpgp.c:633:6
    #1 0x66c891 in pgpPrtPkt /f/rpm/rpm/rpmio/rpmpgp.c:842
    #2 0x66c891 in pgpPrtParams /f/rpm/rpm/rpmio/rpmpgp.c:1003
    #3 0x595487 in rpmSigInfoParse /f/rpm/rpm/lib/signature.c:104:6
    #4 0x52d908 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:263:7
    #5 0x52f3ea in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:381:13
    #6 0x50420d in main /f/rpm/rpm/rpmkeys.c:74:7
    #7 0x7fd009f7878f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #8 0x41c558 in _start (/r/rpm/rpmkeys+0x41c558)

0x602000001a9f is located 0 bytes to the right of 15-byte region [0x602000001a90,0x602000001a9f)
allocated by thread T0 here:
    #0 0x4cc6b8 in malloc (/r/rpm/rpmkeys+0x4cc6b8)
    #1 0x664624 in rmalloc /f/rpm/rpm/rpmio/rpmmalloc.c:44:13
    #2 0x5d0677 in copyTdEntry /f/rpm/rpm/lib/header.c:1096:12
    #3 0x5cf8e4 in headerNext /f/rpm/rpm/lib/header.c:1712:7
    #4 0x52d310 in rpmpkgVerifySigs /f/rpm/rpm/lib/rpmchecksig.c:262:12
    #5 0x52f3ea in rpmcliVerifySignatures /f/rpm/rpm/lib/rpmchecksig.c:381:13
    #6 0x50420d in main /f/rpm/rpm/rpmkeys.c:74:7
    #7 0x7fd009f7878f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #8 0x41c558 in _start (/r/rpm/rpmkeys+0x41c558)
</code></pre>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/rpm-software-management/rpm/issues/151">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ANb80_MGv5cvShKWUw8_BU9BEIkXBURZks5raj3lgaJpZM4L7bvH">mute the thread</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/ANb80xMB52g9EXI8-oR_roTHDFpAk59Zks5raj3lgaJpZM4L7bvH.gif" width="1" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
  <link itemprop="url" href="https://github.com/rpm-software-management/rpm/issues/151"></link>
  <meta itemprop="name" content="View Issue"></meta>
</div>
<meta itemprop="description" content="View this Issue on GitHub"></meta>
</div>

<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/rpm-software-management/rpm","title":"rpm-software-management/rpm","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/rpm-software-management/rpm"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"rpmkeys out of bounds read in pgpPrtSig, rpmpgp.c:633 (#151)"}],"action":{"name":"View Issue","url":"https://github.com/rpm-software-management/rpm/issues/151"}}}</script>