From d3306a5d539ce0d7d8a5d8b0d438036cf134ce10 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Nov 07 2016 13:09:30 +0000
Subject: Fix invalid memory access on %transfiletriggerpostun (#1284645)


---

diff --git a/rpm-4.13.x-transfiletriggerpostun-invalid-read.patch b/rpm-4.13.x-transfiletriggerpostun-invalid-read.patch
new file mode 100644
index 0000000..e770664
--- /dev/null
+++ b/rpm-4.13.x-transfiletriggerpostun-invalid-read.patch
@@ -0,0 +1,40 @@
+From f6521c50f6836374a0f7995f8f393aaf36e178ea Mon Sep 17 00:00:00 2001
+Message-Id: <f6521c50f6836374a0f7995f8f393aaf36e178ea.1478522529.git.pmatilai@redhat.com>
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Mon, 7 Nov 2016 13:38:39 +0200
+Subject: [PATCH] Fix %transfiletriggerpostun undeterministic behavior
+ (RhBug:1284645)
+
+Keys from rpmdbIndexIteratorNext() are not necessarily \0-terminated,
+buyer beware.
+
+Sometimes you get lucky, but in particular when built as PIE (such as
+by default in Fedora) this falls over consistently.
+In Fedora this has been hidden by the fact that test suite has been
+disabled because its been so broken with fakechroot until recently,
+and without PIE the testsuite regularly passes. Valgrind does
+complain though.
+---
+ lib/rpmtriggers.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lib/rpmtriggers.c b/lib/rpmtriggers.c
+index a8612c0..ca22a6b 100644
+--- a/lib/rpmtriggers.c
++++ b/lib/rpmtriggers.c
+@@ -114,8 +114,11 @@ void rpmtriggersPrepPostUnTransFileTrigs(rpmts ts, rpmte te)
+ 
+     /* Iterate over file triggers in rpmdb */
+     while ((rpmdbIndexIteratorNext(ii, &key, &keylen)) == 0) {
++	char pfx[keylen + 1];
++	memcpy(pfx, key, keylen);
++	pfx[keylen] = '\0';
+ 	/* Check if file trigger matches any file in this te */
+-	rpmfi fi = rpmfilesFindPrefix(files, key);
++	rpmfi fi = rpmfilesFindPrefix(files, pfx);
+ 	if (rpmfiFC(fi) > 0) {
+ 	    /* If yes then store it */
+ 	    rpmdbAppendIterator(mi, rpmdbIndexIteratorPkgOffsets(ii),
+-- 
+2.7.4
+
diff --git a/rpm.spec b/rpm.spec
index 2359868..1bba759 100644
--- a/rpm.spec
+++ b/rpm.spec
@@ -29,7 +29,7 @@
 Summary: The RPM package management system
 Name: rpm
 Version: %{rpmver}
-Release: %{?snapver:0.%{snapver}.}2%{?dist}
+Release: %{?snapver:0.%{snapver}.}3%{?dist}
 Group: System Environment/Base
 Url: http://www.rpm.org/
 Source0: http://rpm.org/releases/%{srcdir}/%{name}-%{srcver}.tar.bz2
@@ -52,6 +52,8 @@ Patch4: rpm-4.8.1-use-gpg2.patch
 Patch5: rpm-4.12.0-rpm2cpio-hack.patch
 
 # Patches already upstream:
+Patch100: rpm-4.13.x-transfiletriggerpostun-invalid-read.patch
+
 Patch133: rpm-4.13.x-pythondistdeps.patch
 Patch134: rpm-4.13.x-pythondistdeps-Makefile.patch
 Patch135: rpm-4.13.x-pythondistdeps-fileattr.patch
@@ -556,6 +558,9 @@ exit 0
 %doc doc/librpm/html/*
 
 %changelog
+* Mon Nov 07 2016 Panu Matilainen <pmatilai@redhat.com> - 4.13.0-3
+- Fix invalid memory access on %transfiletriggerpostun (#1284645)
+
 * Fri Nov 04 2016 Thierry Vignaud <tvignaud@redhat.com> - 4.13.0-2
 - Fix package name references in python sub-packages to match reality
 - Re-enable test-suite now that it works again