diff options
| author | Panu Matilainen <pmatilai@redhat.com> | 2011-10-03 17:49:29 +0300 |
|---|---|---|
| committer | Panu Matilainen <pmatilai@redhat.com> | 2012-04-03 16:04:41 +0300 |
| commit | 1bde7b0e139b233bd4a5490fe955ec9553c988c0 (patch) | |
| tree | 489a859a3b3cbb24134882843d827e52f9eb7b25 | |
| parent | 1a7bb2727f1d3a7cc23b824f2f05c25352270f2e (diff) | |
| download | rpm-1bde7b0e139b233bd4a5490fe955ec9553c988c0.tar.gz | |
Sanity check region length on header load
- Region size can't obviously be larger than the containing header,
sanity check to avoid crashes from malformed packages.
- We should really test for length equality here, but with dribbles
the size is sometimes off by three, whatever the reason (bug likely),
leaving that investigation for some sunnier day...
(cherry picked from commit 472e569562d4c90d7a298080e0052856aa7fa86b)
| -rw-r--r-- | lib/header.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/lib/header.c b/lib/header.c index 8bea91a20..f622fb2f6 100644 --- a/lib/header.c +++ b/lib/header.c @@ -904,6 +904,11 @@ Header headerLoad(void * uh) h->indexUsed += ne; } } + + rdlen += REGION_TAG_COUNT; + /* XXX should be equality test, but dribbles are sometimes a bit off? */ + if (rdlen > dl || (rdlen < dl && ril == h->indexUsed)) + goto errxit; } h->flags &= ~HEADERFLAG_SORTED; |