Check all header strings to resize buffer CVE-2006-5466 (#212833).

Patch backported from rpm5.org / JBJ.

1 files changed, 18 insertions, 6 deletions

diff --git a/lib/query.c b/lib/query.c
index 77ee8850a..2a6d4ff88 100644
--- a/lib/query.c
+++ b/lib/query.c
@@ -150,12 +150,14 @@ int showQueryPackage(QVA_t qva, rpmts ts, Header h)
 {
     int scareMem = 0;
     rpmfi fi = NULL;
+    size_t tb = 2 * BUFSIZ;
+    size_t sb;
     char * t, * te;
     char * prefix = NULL;
     int rc = 0;		/* XXX FIXME: need real return code */
     int i;
 
-    te = t = xmalloc(BUFSIZ);
+    te = t = xmalloc(tb);
 /*@-boundswrite@*/
     *te = '\0';
 /*@=boundswrite@*/
@@ -164,12 +166,13 @@ int showQueryPackage(QVA_t qva, rpmts ts, Header h)
 	const char * str = queryHeader(h, qva->qva_queryFormat);
 	/*@-branchstate@*/
 	if (str) {
-	    size_t tb = (te - t);
-	    size_t sb = strlen(str);
+	    size_t tx = (te - t);
 
-	    if (sb >= (BUFSIZ - tb)) {
-		t = xrealloc(t, BUFSIZ+sb);
-		te = t + tb;
+	    sb = strlen(str);
+	    if (sb) {
+		tb += sb;
+		t = xrealloc(t, tb);
+		te = t + tx;
 	    }
 /*@-boundswrite@*/
 	    /*@-usereleased@*/
@@ -246,6 +249,15 @@ int showQueryPackage(QVA_t qva, rpmts ts, Header h)
 	if ((qva->qva_fflags & RPMFILE_GHOST) && (fflags & RPMFILE_GHOST))
 	    continue;
 
+	/* Insure space for header derived data */
+	sb = strlen(fn) + strlen(fmd5) + strlen(fuser) + strlen(fgroup) + strlen(flink);
+	if ((sb + BUFSIZ) > tb) {
+	    size_t tx = (te - t);
+	    tb += sb + BUFSIZ;
+	    t = xrealloc(t, tb);
+	    te = t + tx;
+	}
+
 /*@-boundswrite@*/
 	if (!rpmIsVerbose() && prefix)
 	    te = stpcpy(te, prefix);