diff options
| author | Panu Matilainen <pmatilai@redhat.com> | 2011-09-29 12:50:57 +0300 |
|---|---|---|
| committer | Panu Matilainen <pmatilai@redhat.com> | 2011-09-29 13:04:56 +0300 |
| commit | 11a7e5d95a8ca8c7d4eaff179094afd8bb74fc3f (patch) | |
| tree | 900fd4229fa1567fc066463fcf7618da0990841b /lib/header.c | |
| parent | c6c364317b4f5d1e31e0f27094d6b1af3778881d (diff) | |
| download | librpm-tizen-11a7e5d95a8ca8c7d4eaff179094afd8bb74fc3f.tar.gz librpm-tizen-11a7e5d95a8ca8c7d4eaff179094afd8bb74fc3f.tar.bz2 librpm-tizen-11a7e5d95a8ca8c7d4eaff179094afd8bb74fc3f.zip | |
Sanity check region offset in regionSwab()
- Region offsets are supposed to be negative when when an entry
is involved, otherwise zero. Fixes some cases of crash'n'burn on
malformed headers having bogus offsets (CVE-2011-3378)
Diffstat (limited to 'lib/header.c')
| -rw-r--r-- | lib/header.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/header.c b/lib/header.c index 5a54e753f..284be0902 100644 --- a/lib/header.c +++ b/lib/header.c @@ -381,6 +381,9 @@ static int regionSwab(indexEntry entry, int il, int dl, const unsigned char * dataEnd, int regionid) { + if ((entry != NULL && regionid >= 0) || (entry == NULL && regionid != 0)) + return -1; + for (; il > 0; il--, pe++) { struct indexEntry_s ie; rpm_tagtype_t type; |