Fix buffer overflow in verifyDSASignature()

- caused by assumption that sizeof(size_t) is always 4 (credited to jbj)
author: Jindrich Novy <jnovy@redhat.com> 2008-04-09 10:10:17 +0200
committer: Jindrich Novy <jnovy@redhat.com> 2008-04-09 10:12:00 +0200
commit: 7a64fb564a7c79e47a3ad86d17b5c671a64e44c4 (patch)
tree: 377ec1480ab284ff0165302e11a6c9d83c5b4696 /lib
parent: 3d717d5c45ac17dcd3e0ae82f8f7d9846b1a5d97 (diff)
download: rpm-7a64fb564a7c79e47a3ad86d17b5c671a64e44c4.tar.gz
rpm-7a64fb564a7c79e47a3ad86d17b5c671a64e44c4.tar.bz2
rpm-7a64fb564a7c79e47a3ad86d17b5c671a64e44c4.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/signature.c b/lib/signature.c
index f1b5c005c..61497b1c0 100644
--- a/lib/signature.c
+++ b/lib/signature.c
@@ -1266,12 +1266,13 @@ verifyDSASignature(rpmts ts, char ** msg,
 
 	if (sigp->version == 4) {
 	    size_t nb = sigp->hashlen;
-	    uint8_t trailer[6];
+	    uint8_t *trailer = xmalloc(2+sizeof(nb));
 	    nb = htonl(nb);
 	    trailer[0] = sigp->version;
 	    trailer[1] = 0xff;
 	    memcpy(trailer+2, &nb, sizeof(nb));
 	    xx = rpmDigestUpdate(ctx, trailer, sizeof(trailer));
+	    free(trailer);
 	}
 	xx = rpmDigestFinal(ctx, (void **)&dig->sha1, &dig->sha1len, 0);
 	(void) rpmswExit(rpmtsOp(ts, RPMTS_OP_DIGEST), sigp->hashlen);
author	Jindrich Novy <jnovy@redhat.com>	2008-04-09 10:10:17 +0200
committer	Jindrich Novy <jnovy@redhat.com>	2008-04-09 10:12:00 +0200
commit	7a64fb564a7c79e47a3ad86d17b5c671a64e44c4 (patch)
tree	377ec1480ab284ff0165302e11a6c9d83c5b4696 /lib
parent	3d717d5c45ac17dcd3e0ae82f8f7d9846b1a5d97 (diff)
download	rpm-7a64fb564a7c79e47a3ad86d17b5c671a64e44c4.tar.gz rpm-7a64fb564a7c79e47a3ad86d17b5c671a64e44c4.tar.bz2 rpm-7a64fb564a7c79e47a3ad86d17b5c671a64e44c4.zip