Mailinglist Archive: opensuse-bugs (5220 mails)
| < Previous | Next > |
[Bug 490033] VUL-0: satsolver: 3rd party repo crashes rpmmd2solv with memory corruption
- From: bugzilla_noreply@xxxxxxxxxx
- Date: Sun, 5 Apr 2009 11:30:08 -0600 (MDT)
- Message-id: <20090405173008.3539224550D@xxxxxxxxxxxxxxxxxxxxxx>
http://bugzilla.novell.com/show_bug.cgi?id=490033
User meissner@xxxxxxxxxx added comment
http://bugzilla.novell.com/show_bug.cgi?id=490033#c7
--- Comment #7 from Marcus Meissner <meissner@xxxxxxxxxx> 2009-04-05 11:30:05
MDT ---
tools/repo_rpmmd.c:set_sourcerpm is buggy.
you do:
name = id2str(pool, s->name);
evr = id2str(pool, s->evr);
if (!strcmp(sarch, "src.rpm"))
repodata_set_constantid(data, handle, SOLVABLE_SOURCEARCH, ARCH_SRC);
else if (!strcmp(sarch, "nosrc.rpm"))
repodata_set_constantid(data, handle, SOLVABLE_SOURCEARCH, ARCH_NOSRC);
else
repodata_set_constantid(data, handle, SOLVABLE_SOURCEARCH, strn2id(pool,
sarch, strlen(sarch) - 4, 1));
// strn2id can reallocate the pool, so "name" and "evr" can become invalid
// pointers.
if (!strncmp(sevr, evr, sarch - sevr - 1) && evr[sarch - sevr - 1] == 0)
// you just used evr which might be invalid.
repodata_set_void(data, handle, SOLVABLE_SOURCEEVR);
else
repodata_set_id(data, handle, SOLVABLE_SOURCEEVR, strn2id(pool, sevr, sarch
- sevr - 1, 1));
// here again strn2id can reallocate the string pool
if (!strncmp(sourcerpm, name, sevr - sourcerpm - 1) && name[sevr - sourcerpm -
1] == 0)
// but here you use the name strpool reference
repodata_set_void(data, handle, SOLVABLE_SOURCENAME);
else
repodata_set_id(data, handle, SOLVABLE_SOURCENAME, strn2id(pool, sourcerpm,
sevr - sourcerpm - 1, 1));
Is the same code as in the 11.1 and probably the sle11 satsolver.
--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
User meissner@xxxxxxxxxx added comment
http://bugzilla.novell.com/show_bug.cgi?id=490033#c7
--- Comment #7 from Marcus Meissner <meissner@xxxxxxxxxx> 2009-04-05 11:30:05
MDT ---
tools/repo_rpmmd.c:set_sourcerpm is buggy.
you do:
name = id2str(pool, s->name);
evr = id2str(pool, s->evr);
if (!strcmp(sarch, "src.rpm"))
repodata_set_constantid(data, handle, SOLVABLE_SOURCEARCH, ARCH_SRC);
else if (!strcmp(sarch, "nosrc.rpm"))
repodata_set_constantid(data, handle, SOLVABLE_SOURCEARCH, ARCH_NOSRC);
else
repodata_set_constantid(data, handle, SOLVABLE_SOURCEARCH, strn2id(pool,
sarch, strlen(sarch) - 4, 1));
// strn2id can reallocate the pool, so "name" and "evr" can become invalid
// pointers.
if (!strncmp(sevr, evr, sarch - sevr - 1) && evr[sarch - sevr - 1] == 0)
// you just used evr which might be invalid.
repodata_set_void(data, handle, SOLVABLE_SOURCEEVR);
else
repodata_set_id(data, handle, SOLVABLE_SOURCEEVR, strn2id(pool, sevr, sarch
- sevr - 1, 1));
// here again strn2id can reallocate the string pool
if (!strncmp(sourcerpm, name, sevr - sourcerpm - 1) && name[sevr - sourcerpm -
1] == 0)
// but here you use the name strpool reference
repodata_set_void(data, handle, SOLVABLE_SOURCENAME);
else
repodata_set_id(data, handle, SOLVABLE_SOURCENAME, strn2id(pool, sourcerpm,
sevr - sourcerpm - 1, 1));
Is the same code as in the 11.1 and probably the sle11 satsolver.
--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
| < Previous | Next > |