Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 75774 - Non-rpm file causes rpm to segfault, rather than reject it
Summary: Non-rpm file causes rpm to segfault, rather than reject it
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: rpm
Version: rawhide
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Paul Nasrat
QA Contact:
URL: http://www.mysql.com/Downloads/MySQL-...
Whiteboard:
Depends On:
Blocks: FC5Target
TreeView+ depends on / blocked
 
Reported: 2002-10-12 04:32 UTC by lukeh
Modified: 2007-11-30 22:10 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-02-12 18:16:02 UTC


Attachments (Terms of Use)
RPM package that is *not* an RPM package and causes a segfault on rpm -Uvh (deleted)
2002-10-12 14:33 UTC, lukeh
no flags Details

Description lukeh 2002-10-12 04:32:55 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020830

Description of problem:
I went to download MySQL from mysql.com, from the following webpage:

  http://www.mysql.com/downloads/mysql-3.23.html

I right-clicked on the link that said "Download" next to "Server (i386)", i.e.
the following link, and went "Download link" in my browser:

  http://www.mysql.com/Downloads/MySQL-3.23/MySQL-3.23.52-1.i386.rpm

It turns out that this link is *not* an RPM; rather, you get redirected to an
HTML download page with the actual download links on in each mirror.  However I
didn't know that I had just downloaded an HTML file with an .rpm extension, so I
proceeded to install the "rpm":

  rpm -Uhv MySQL-3.23.52-1.i386.rpm

I get a segfault.

Version-Release number of selected component (if applicable):
rpm-4.1-1.06
 (Psyche vanilla)

How reproducible:
Always

Steps to Reproduce:
[Follow the steps above]

Actual Results:  

   Segmentation fault

Expected Results:  I would have expected:

  MySQL-3.23.52-1.i386.rpm: not an rpm package (or package manifest):

Additional info:

Comment 1 Jeff Johnson 2002-10-12 13:14:59 UTC
Yup. Can you attach a copy of the file here
that you tried to install so I can see
exactly what's wrong? Thanks

Comment 2 lukeh 2002-10-12 14:33:29 UTC
Created attachment 80127 [details]
RPM package that is *not* an RPM package and causes a segfault on rpm -Uvh

Comment 3 lukeh 2002-10-12 14:35:55 UTC
Interestingly, "less MySQL-3....rpm" gives the expected "not an rpm" message,
i.e. I guess querying the rpm file without installing it seems to work fine (I
don't know which options less invokes rpm with to list the files in the rpm).

Comment 4 Paul Nasrat 2005-10-31 17:45:59 UTC
==13949== Stack overflow in thread 1: can't grow stack to 0x521FB9D8
==13949==
==13949== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==13949==  Access not within mapped region at address 0x521FB9D8
==13949==    at 0x1BAFB7DB: glob64 (in /usr/lib/librpmio-4.4.so)
==13949== Stack overflow in thread 1: can't grow stack to 0x521FB9CC

/**@todo Infinite loops through manifest files exist, operator error for now. */

looks like we're looking:

#0  *glob64 (
    pattern=0xbec68e50 "Worlds Most Popular Open Source Database\" /></td> </tr>
</table> </td> </tr>\t\t\t <tr> <td><img src=\"../images/pixel-trans.gif\"
width=\"1\" height=\"5\" alt=\"\" /></td> </tr> <tr> <td> <table border=\"0\"
widt"..., flags=8196, errfunc=0x24bd49 <Glob_error>, pglob=0xbec72274) at
/usr/include/bits/string3.h:75
...
#303 0x0024f8ef in *glob64 (pattern=0xa42d5d2 "Worlds Most Popular Open Source
Database\" /></td> </tr> </table> </td> </tr>\t\t\t <tr> <td><img
src=\"../images/pixel-trans.gif\" width=\"1\" height=\"5\" alt=\"\" /></td>
</tr> <tr> <td> <table border=\"0\" widt"..., flags=4096, errfunc=0x24bd49
<Glob_error>, pglob=0xbf85c8dc) at ../misc/glob.c:628
#304 0x0024bdfd in Glob (pattern=0xa42d5d2 "Worlds Most Popular Open Source
Database\" /></td> </tr> </table> </td> </tr>\t\t\t <tr> <td><img
src=\"../images/pixel-trans.gif\" width=\"1\" height=\"5\" alt=\"\" /></td>
</tr> <tr> <td> <table border=\"0\" widt"..., flags=4096, errfunc=0x24bd49
<Glob_error>, pglob=0xbf85c8dc) at rpmrpc.c:1469
#305 0x002368eb in rpmGlob (patterns=0xa007c50 "<!DOCTYPE HTML PUBLIC
\"-//W3C//DTD HTML 4.01 Transitional//EN\"> <html> <head> <title>MySQL |
Downloads | MySQL | Pick your closest mirror</title> <link rel=\"stylesheet\"
href=\"../styles/mysql.css\" type"..., argcPtr=0xbf85c974, argvPtr=0xbf85c970)
at macro.c:1729
#306 0x003ef608 in rpmReadPackageManifest (fd=0x3c, argcPtr=0xbf85e9e4,
argvPtr=0xbf85e9e8) at manifest.c:130
#307 0x0040a498 in rpmInstall (ts=0xa006dc8, ia=0x441de0, fileArgv=0x9fef068) at
rpminstall.c:617
#308 0x0804a0b2 in main (argc=4, argv=0xbf85ebc4) at ./rpmqv.c:790
#309 0x00b6850f in __libc_start_main () from /lib/libc.so.6
#310 0x08049351 in _start ()



Comment 5 Jeff Johnson 2006-02-12 18:16:02 UTC
This prevents the segfault for the class of HTML problems:
Index: manifest.c
===============================================================
====
RCS file: /cvs/devel/rpm/lib/manifest.c,v
retrieving revision 2.15.2.2
diff -u -b -B -w -p -r2.15.2.2 manifest.c
--- manifest.c  20 Dec 2005 17:02:32 -0000      2.15.2.2
+++ manifest.c  12 Feb 2006 18:11:44 -0000
@@ -105,6 +105,13 @@ rpmRC rpmReadPackageManifest(FD_t fd, in
            break;
        }
 
+       /* XXX stop processing manifest if HTML is found. */
+#define        DOCTYPE_HTML_PUBLIC     "<!DOCTYPE HTML PUBLIC"
+       if (!strncmp(line, DOCTYPE_HTML_PUBLIC, sizeof(DOCTYPE_HTML_PUBLIC)-1)) {
+           rpmrc = RPMRC_NOTFOUND;
+           goto exit;
+       }
+
        /* Skip comments. */
        if ((se = strchr(s, '#')) != NULL) *se = '\0';
 

The patch is a bit pugly, that can't be helped afaik.

Checked into rpm cvs, will be in rpm-4.4.5-0.10 when built.


Note You need to log in before you can comment on or make changes to this bug.