A new user interface for you! Read more...

File headerchk.diff of Package rpm

--- rpmdb/header.c.orig	2011-11-04 09:05:15.540437350 +0100
+++ rpmdb/header.c	2011-11-04 09:07:55.605590600 +0100
@@ -483,6 +483,9 @@
     int tl = dl;
     struct indexEntry_s ieprev;
 
+     if ((entry != NULL && regionid >= 0) || (entry == NULL && regionid != 0))
+ 	return -1;
+
 /*@-boundswrite@*/
     memset(&ieprev, 0, sizeof(ieprev));
 /*@=boundswrite@*/
@@ -1081,7 +1084,7 @@
 
 	{   int off = ntohl(pe->offset);
 
-	    if (hdrchkData(off))
+	    if (hdrchkData(off) || hdrchkRange(dl, off))
 		goto errxit;
 	    if (off) {
 /*@-sizeoftype@*/
@@ -1146,6 +1149,11 @@
 	    h->indexUsed += ne;
 	  }
 	}
+
+	rdlen += REGION_TAG_COUNT;
+	/* XXX should be equality test, but dribbles are sometimes a bit off? */
+	if (rdlen > dl)
+	    goto errxit;
     }
 
     h->flags &= ~HEADERFLAG_SORTED;
--- rpmio/rpmpgp.c.orig	2011-11-04 09:05:20.808409482 +0100
+++ rpmio/rpmpgp.c	2011-11-04 09:18:41.042176226 +0100
@@ -301,6 +301,9 @@
 
     while (hlen > 0) {
 	i = pgpLen(p, &plen);
+	if (i + plen > hlen)
+	    break;
+
 	p += i;
 	hlen -= i;
 
@@ -389,7 +392,7 @@
 	p += plen;
 	hlen -= plen;
     }
-    return 0;
+    return (hlen != 0); /* non-zero hlen is an error */
 }
 
 /*@-varuse =readonlytrans @*/
@@ -532,7 +535,8 @@
 	    _digp->hashlen = sizeof(*v) + plen;
 	    _digp->hash = memcpy(xmalloc(_digp->hashlen), v, _digp->hashlen);
 	}
-	(void) pgpPrtSubType(p, plen, v->sigtype);
+ 	if (pgpPrtSubType(p, plen, v->sigtype))
+ 	    return 1;
 	p += plen;
 
 	plen = pgpGrab(p,2);
@@ -543,7 +547,8 @@
 
 if (_debug && _print)
 fprintf(stderr, " unhash[%u] -- %s\n", plen, pgpHexStr(p, plen));
-	(void) pgpPrtSubType(p, plen, v->sigtype);
+ 	if (pgpPrtSubType(p, plen, v->sigtype))
+ 	    return 1;
 	p += plen;
 
 	plen = pgpGrab(p,2);