File headerchk.diff of Package rpm.import5255
--- ./lib/header.c.orig 2009-12-07 14:36:49.000000000 +0000
+++ ./lib/header.c 2011-10-04 17:17:48.000000000 +0000
@@ -358,6 +358,9 @@ static int regionSwab(indexEntry entry,
const unsigned char * dataEnd,
int regionid)
{
+ if ((entry != NULL && regionid >= 0) || (entry == NULL && regionid != 0))
+ return -1;
+
for (; il > 0; il--, pe++) {
struct indexEntry_s ie;
rpmTagType type;
@@ -822,7 +825,7 @@ Header headerLoad(void * uh)
{ int off = ntohl(pe->offset);
- if (hdrchkData(off))
+ if (hdrchkData(off) || hdrchkRange(dl, off))
goto errxit;
if (off) {
size_t nb = REGION_TAG_COUNT;
@@ -881,6 +884,11 @@ Header headerLoad(void * uh)
h->indexUsed += ne;
}
}
+
+ rdlen += REGION_TAG_COUNT;
+ /* XXX should be equality test, but dribbles are sometimes a bit off? */
+ if (rdlen > dl)
+ goto errxit;
}
h->flags &= ~HEADERFLAG_SORTED;
--- ./rpmio/rpmpgp.c.orig 2011-10-04 17:17:40.000000000 +0000
+++ ./rpmio/rpmpgp.c 2011-10-04 17:17:48.000000000 +0000
@@ -378,6 +378,9 @@ static int pgpPrtSubType(const uint8_t *
while (hlen > 0) {
i = pgpLen(p, &plen);
+ if (i + plen > hlen)
+ break;
+
p += i;
hlen -= i;
@@ -460,7 +463,7 @@ static int pgpPrtSubType(const uint8_t *
p += plen;
hlen -= plen;
}
- return 0;
+ return (hlen != 0); /* non-zero hlen is an error */
}
static const char * const pgpSigRSA[] = {
@@ -584,7 +587,8 @@ fprintf(stderr, " hash[%zu] -- %s\n",
_digp->hashlen = sizeof(*v) + plen;
_digp->hash = memcpy(xmalloc(_digp->hashlen), v, _digp->hashlen);
}
- (void) pgpPrtSubType(p, plen, v->sigtype, _digp);
+ if (pgpPrtSubType(p, plen, v->sigtype, _digp))
+ return 1;
p += plen;
plen = pgpGrab(p,2);
@@ -595,7 +599,8 @@ fprintf(stderr, " hash[%zu] -- %s\n",
if (_debug && _print)
fprintf(stderr, " unhash[%zu] -- %s\n", plen, pgpHexStr(p, plen));
- (void) pgpPrtSubType(p, plen, v->sigtype, _digp);
+ if (pgpPrtSubType(p, plen, v->sigtype, _digp))
+ return 1;
p += plen;
plen = pgpGrab(p,2);
