Fix potential segfault in file trigger code

The latter packageHashGetEntry() could cause 'te' set to NULL and consequently crash when indexed later. This was indirectly fixed in e063368, this is a separate backport. Suggested-by: Michael Schroeder <mls@suse.de> Fixes: rpm-software-management#3500
pmatilai · Feb 12, 2025 · 8d081f7 · 8d081f7
1 parent 7f1ac55
commit 8d081f7
Showing 1 changed file with 9 additions and 6 deletions.
diff --git a/lib/rpmtriggers.c b/lib/rpmtriggers.c
@@ -230,7 +230,8 @@ typedef struct matchFilesIter_s {
 static rpmfiles rpmtsNextFiles(matchFilesIter mfi)
 {
     Header h;
-    rpmte *te;
+    rpmte *tes;
+    rpmte te = NULL;
     rpmfiles files = NULL;
     rpmstrPool pool = mfi->ts->members->pool;
     int ix;
@@ -240,21 +241,23 @@ static rpmfiles rpmtsNextFiles(matchFilesIter mfi)
     if (ix < rpmdbGetIteratorCount(mfi->pi)) {
 	offset = rpmdbGetIteratorOffsetFor(mfi->pi, ix);
 	if (packageHashGetEntry(mfi->ts->members->removedPackages, offset,
-				&te, NULL, NULL)) {
+				&tes, NULL, NULL)) {
 	    /* Files are available in memory */
-	    files  = rpmteFiles(te[0]);
+	    te = tes[0];
+	    files  = rpmteFiles(te);
 	}
 
 	if (packageHashGetEntry(mfi->ts->members->installedPackages, offset,
-				&te, NULL, NULL)) {
+				&tes, NULL, NULL)) {
 	    /* Files are available in memory */
-	    files  = rpmteFiles(te[0]);
+	    te = tes[0];
+	    files  = rpmteFiles(te);
 	}
     }
 
     if (files) {
 	rpmdbSetIteratorIndex(mfi->pi, ix + 1);
-	mfi->pkgname = rpmteN(te[0]);
+	mfi->pkgname = rpmteN(te);
     } else {
 	/* Files are not available in memory. Read them from rpmdb */
 	h = rpmdbNextIterator(mfi->pi);