[Rpm-maint] [rpm-software-management/rpm] Stack overflow in glob() function (Issue #2605)
Jan Engelhardt
notifications at github.com
Tue Aug 8 10:33:15 UTC 2023
Version: 4.18 (openSUSE Tumbleweed 20230807)
Given a crafted input file, rpm blows the standard stack (typically 8 MB( with lots of recursion. A VLA in the stack frame is detrimental to that as well.
```
$ gdb /usr/bin/rpm
(gdb) r _buildenv
…
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f0d934 in glob (
pattern=pattern at entry=0x7fffff809d40 "didnt move in 1.5h (seen in libreoffice builds) BuildFlags: logidlelimit:5400 %endif %if "%_project" == "openSUSE:Factory" || "%_project" == "openSUSE:Factory:NonFre"..., flags=flags at entry=5152,
pglob=pglob at entry=0x7fffffffb8d0, errfunc=0x0) at /usr/src/debug/rpm-4.18.0/rpmio/rpmglob.c:165
165 char onealt[strlen(pattern) - 1];
```
bt:
```
#0 0x00007ffff7f0d934 in glob (pattern=pattern at entry=0x7fffff809d40 "didnt move"..., flags=flags at entry=5152, pglob=pglob at entry=0x7fffffffb8d0,
errfunc=0x0) at /usr/src/debug/rpm-4.18.0/rpmio/rpmglob.c:165
#1 0x00007ffff7f0e2fc in glob (pattern=pattern at entry=0x7fffff826dd0 "didnt move"..., flags=flags at entry=5152, pglob=pglob at entry=0x7fffffffb8d0,
errfunc=0x0) at /usr/src/debug/rpm-4.18.0/rpmio/rpmglob.c:213
…
#70 0x00007ffff7f0e2fc in glob (pattern=0x7ffff77811ce "didnt move"..., flags=flags at entry=5120, pglob=pglob at entry=0x7fffffffb8d0, errfunc=0x0)
at /usr/src/debug/rpm-4.18.0/rpmio/rpmglob.c:213
#71 0x00007ffff7f0f073 in rpmGlob (patterns=patterns at entry=0x7ffff781b010 "<buildinfo"..., argcPtr=argcPtr at entry=0x7fffffffba3c,
argvPtr=argvPtr at entry=0x7fffffffba40) at /usr/src/debug/rpm-4.18.0/rpmio/rpmglob.c:864
#72 0x00007ffff7f4b45a in rpmReadPackageManifest (fd=<optimized out>, argcPtr=0x5555555c9798, argvPtr=0x5555555c97a0)
at /usr/src/debug/rpm-4.18.0/lib/manifest.c:121
#73 0x00007ffff7f667b3 in tryReadManifest (eiu=0x5555555c9760) at /usr/src/debug/rpm-4.18.0/lib/rpminstall.c:333
#74 rpmInstall (ts=ts at entry=0x5555555c8970, ia=<optimized out>, fileArgv=<optimized out>) at /usr/src/debug/rpm-4.18.0/lib/rpminstall.c:565
#75 0x00005555555567e1 in main (argc=3, argv=<optimized out>) at /usr/src/debug/rpm-4.18.0/rpm.c:274
```
[buildenv.zip](https://github.com/rpm-software-management/rpm/files/12290206/buildenv.zip)
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2605
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2605 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230808/bac00fb4/attachment-0001.html>
More information about the Rpm-maint
mailing list