RPM Community Forums

Mailing List Message of <rpm-devel>

Re: segfault under at least Solaris 9

From: Ralf S. Engelschall <rse+rpm-devel@rpm5.org>
Date: Mon 12 Nov 2007 - 12:31:19 CET
Message-ID: <20071112113119.GA91728@engelschall.com> 
On Mon, Nov 12, 2007, Ralf S. Engelschall wrote:

> I've currently fixing the build under Solaris 9 and observed the
> following results at the end of the "devtool snapshot" procedure. Please
> notice the "warning: tag ..." messages and the segfault at the end.
>
> [...]
> | + /tmp/rpm/bin/rpm -vv -e gpg-pubkey-2039b291-3dbaae72
> | D: opening  db environment /tmp/rpm/var/rpm/db/Packages cdb:mpool
> | D: opening  db index       /tmp/rpm/var/rpm/db/Packages rdonly mode=0x0
> | D: locked   db index       /tmp/rpm/var/rpm/db/Packages
> | D: opening  db index       /tmp/rpm/var/rpm/db/Name rdonly mode=0x0
> | ==> warning: tag 1002 type(0x6) != implicit type(0x20008)
> | D:  read h#       1 Header sanity check: OK
> | Segmentation Fault - core dumped
> [...]

The segfaults happen because NULL pointers are passed to vsnprintf():

1.

#0  0xff13455c in strlen () from /usr/lib/libc.so.1
#1  0xff187058 in _doprnt () from /usr/lib/libc.so.1
#2  0xff1890c8 in vsnprintf () from /usr/lib/libc.so.1
#3  0x0010b9e8 in vrpmlog (code=7, fmt=0x3d9e70 "ort ...\n", ap=0xffbff6dc) at rpmlog.c:164
#4  0x0010bdbc in vrpmlog (code=7, fmt=0x3d9e70 "ort ...\n", ap=0x481b88) at rpmlog.c:233
#5  0x0004311c in rpmtsCheck (ts=0x47f4a8) at depends.c:2408
#6  0x00085b08 in rpmErase (ts=0x47f4a8, ia=0x44257c, argv=0x469fc8) at rpminstall.c:576
#7  0x0001665c in main (argc=4, argv=0xffbffa14, envp=0xffbffa28) at ./rpmqv.c:678

2.

#0  0xff13455c in strlen () from /usr/lib/libc.so.1
#1  0xff187058 in _doprnt () from /usr/lib/libc.so.1
#2  0xff1890c8 in vsnprintf () from /usr/lib/libc.so.1
#3  0x0010ba70 in vrpmlog (code=7, fmt=0x3e4168 "========== --- %s %s-%s 0x%x\n", ap=0xffbff6a4) at rpmlog.c:176
#4  0x0010be44 in rpmlog (code=7, fmt=0x3e4168 "========== --- %s %s-%s 0x%x\n") at rpmlog.c:248
#5  0x0009d000 in rpmtsRun (ts=0x47f4a8, okProbs=0x0, ignoreSet=RPMPROB_FILTER_NONE) at transaction.c:1840
#6  0x00085cd4 in rpmErase (ts=0x47f4a8, ia=0x44257c, argv=0x469fc8) at rpminstall.c:625
#7  0x0001665c in main (argc=4, argv=0xffbffb2c, envp=0xffbffb40) at ./rpmqv.c:678

I recommend to use e.g. rpmWrapNull(rpmteA(p)) together with a small
helper function...

const char *rpmWrapNull(const char *cp, const char *subst)
{
    return cp != NULL ? cp : subst);
}

...when passing the stuff to rpmlog().

                                       Ralf S. Engelschall
                                       rse@engelschall.com
                                       www.engelschall.com
Received on Mon Nov 12 12:33:37 2007
Driven by Jeff Johnson and the RPM project team.
Hosted by OpenPKG and Ralf S. Engelschall.
Powered by FreeBSD and OpenPKG.