packages (rpm-4_5): rpm/rpm-shescape-memfault.patch (NEW) - doing xrealloc ...

Wed May 13 17:30:15 CEST 2009

Author: glen                         Date: Wed May 13 15:30:15 2009 GMT
Module: packages                      Tag: rpm-4_5
---- Log message:
- doing xrealloc at the end of "t" pointer with specified length does out of bounds copy
  merged shescape from rpm5 trunk

---- Files affected:
packages/rpm:
   rpm-shescape-memfault.patch (NONE -> 1.1.2.1)  (NEW)

---- Diffs:

================================================================
Index: packages/rpm/rpm-shescape-memfault.patch
diff -u /dev/null packages/rpm/rpm-shescape-memfault.patch:1.1.2.1

--- /dev/null	Wed May 13 17:30:15 2009
+++ packages/rpm/rpm-shescape-memfault.patch	Wed May 13 17:30:10 2009
@@ -0,0 +1,59 @@
+--- rpm-4.5/rpmdb/header.c~	2009-05-13 18:25:56.000000000 +0300
++++ rpm-4.5/rpmdb/header.c	2009-05-13 18:26:01.729564093 +0300
+@@ -2977,7 +2977,6 @@
+ static char * shescapeFormat(HE_t he, /*@null@*/ const char ** av)
+ 	/*@*/
+ {
+-    rpmTagData data = { .ptr = he->p.ptr };
+     char * val;
+     size_t nb;
+ 
+@@ -2985,34 +2984,37 @@
+     if (he->t == RPM_INT32_TYPE) {
+ 	nb = 20;
+ 	val = xmalloc(nb);
+-	snprintf(val, nb, "%d", data.i32p[0]);
++	snprintf(val, nb, "%d", he->p.i32p[0]);
+ 	val[nb-1] = '\0';
+     } else if (he->t == RPM_INT64_TYPE) {
+ 	nb = 40;
+ 	val = xmalloc(40);
+-	snprintf(val, nb, "%lld", data.i64p[0]);
++	snprintf(val, nb, "%lld", he->p.i64p[0]);
+ 	val[nb-1] = '\0';
+     } else if (he->t == RPM_STRING_TYPE) {
+-	const char * s = data.str;
++	const char * s = he->p.str;
+ 	char * t;
+ 	int c;
+ 
+-	nb = strlen(data.str) + 1;
+-	/* XXX count no. of escapes instead. */
+-	t = xmalloc(4 * nb + 3);
++	nb = 0;
++	for (s = he->p.str; (c = (int)*s) != 0; s++)  {
++	    nb++;
++	    if (c == (int)'\'')
++		nb += 3;
++	}
++	nb += 3;
++	t = val = xmalloc(nb);
+ 	*t++ = '\'';
+-	while ((c = *s++) != 0) {
+-	    if (c == '\'') {
++	for (s = he->p.str; (c = (int)*s) != 0; s++)  {
++	    if (c == (int)'\'') {
+ 		*t++ = '\'';
+ 		*t++ = '\\';
+ 		*t++ = '\'';
+ 	    }
+-	    *t++ = c;
++	    *t++ = (char) c;
+ 	}
+ 	*t++ = '\'';
+ 	*t = '\0';
+-	nb = strlen(t) + 1;
+-	val = xrealloc(t, nb);
+     } else
+ 	val = xstrdup(_("invalid type"));
+ 
================================================================
