[Rpm-maint] [rpm-software-management/rpm] out of bounds heap read in rpmstrPoolId / rstrlenhash (#135)
Hanno Böck
notifications at github.com
Sat Jan 28 09:29:54 UTC 2017
I'm attaching another file, this creates a use after free, but it's in the same line of code, so I assume it's a variation of the same bug.
[rpm-useafterfree-rstrlenhash-rpmstrPoolId.zip](https://github.com/rpm-software-management/rpm/files/736803/rpm-useafterfree-rstrlenhash-rpmstrPoolId.zip)
```
==26753==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000001531 at pc 0x0000006a0e05 bp 0x7ffc05f97c30 sp 0x7ffc05f97c28
READ of size 1 at 0x602000001531 thread T0
#0 0x6a0e04 in rstrlenhash /f/rpm/rpm/rpmio/rpmstrpool.c:52:12
#1 0x6a0e04 in rpmstrPoolId /f/rpm/rpm/rpmio/rpmstrpool.c:390
#2 0x536103 in singleDS /f/rpm/rpm/lib/rpmds.c:460:15
#3 0x536103 in rpmdsSinglePool /f/rpm/rpm/lib/rpmds.c:486
#4 0x512720 in findPos /f/rpm/rpm/lib/depends.c:328:20
#5 0x512720 in addPackage /f/rpm/rpm/lib/depends.c:446
#6 0x5122e9 in rpmtsAddInstallElement /f/rpm/rpm/lib/depends.c:493:12
#7 0x57a1d4 in rpmInstall /f/rpm/rpm/lib/rpminstall.c:584:11
#8 0x5057ae in main /f/rpm/rpm/rpmqv.c:295:12
#9 0x7f4f83a7678f in __libc_start_main (/lib64/libc.so.6+0x2078f)
#10 0x41c648 in _start (/r/rpm/rpm+0x41c648)
0x602000001531 is located 1 bytes inside of 6-byte region [0x602000001530,0x602000001536)
freed by thread T0 here:
#0 0x4cc5f0 in __interceptor_cfree.localalias.1 (/r/rpm/rpm+0x4cc5f0)
#1 0x60ff7f in rpmtdFreeData /f/rpm/rpm/lib/rpmtd.c:48:2
#2 0x58f207 in addTE /f/rpm/rpm/lib/rpmte.c:145:15
#3 0x58f207 in rpmteNew /f/rpm/rpm/lib/rpmte.c:241
#4 0x512642 in addPackage /f/rpm/rpm/lib/depends.c:438:9
previously allocated by thread T0 here:
#0 0x4ccbc0 in realloc (/r/rpm/rpm+0x4ccbc0)
#1 0x6752ea in rrealloc /f/rpm/rpm/rpmio/rpmmalloc.c:65:13
#2 0x629bb4 in getNEVRA /f/rpm/rpm/lib/tagexts.c:772:11
#3 0x625026 in nevrTag /f/rpm/rpm/lib/tagexts.c:805:12
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/135#issuecomment-275837735
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20170128/a293f929/attachment-0001.html>
More information about the Rpm-maint
mailing list