From 472e569562d4c90d7a298080e0052856aa7fa86b Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Mon, 3 Oct 2011 17:49:29 +0300
Subject: Sanity check region length on header load

- Region size can't obviously be larger than the containing header,
  sanity check to avoid crashes from malformed packages.
- We should really test for length equality here, but with dribbles
  the size is sometimes off by three, whatever the reason (bug likely),
  leaving that investigation for some sunnier day...
---
 lib/header.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'lib/header.c')

diff --git a/lib/header.c b/lib/header.c
index c77196749..b01d1e48b 100644
--- a/lib/header.c
+++ b/lib/header.c
@@ -895,6 +895,11 @@ Header headerLoad(void * uh)
 	    h->indexUsed += ne;
 	  }
 	}
+
+	rdlen += REGION_TAG_COUNT;
+	/* XXX should be equality test, but dribbles are sometimes a bit off? */
+	if (rdlen > dl || (rdlen < dl && ril == h->indexUsed))
+	    goto errxit;
     }
 
     h->flags &= ~HEADERFLAG_SORTED;
-- 
cgit v1.2.3