45 lines
1.5 KiB
Diff
45 lines
1.5 KiB
Diff
From d8fbddfa5051bdc1c71e16cb11f14d9fdc7f5c5e Mon Sep 17 00:00:00 2001
|
|
From: Panu Matilainen <pmatilai@redhat.com>
|
|
Date: Thu, 18 Mar 2021 10:39:38 +0200
|
|
Subject: [PATCH] Better sanity check for header entry counts
|
|
|
|
The count can never be larger than header data size, which can never be
|
|
larger than 256MB. Most datatypes have further restrictions of course, this
|
|
is merely an outer perimeter check to catch impossibly large values that
|
|
could otherwise overflow all manner of trivial calculations.
|
|
|
|
Addresses the point I missed in PR #1493 but with a much tighter limit.
|
|
---
|
|
lib/header.c | 7 +++----
|
|
1 file changed, 3 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/lib/header.c b/lib/header.c
|
|
index ebba9c2b0..34d291e91 100644
|
|
--- a/lib/header.c
|
|
+++ b/lib/header.c
|
|
@@ -131,10 +131,9 @@ static const size_t headerMaxbytes = (256*1024*1024);
|
|
|
|
/**
|
|
* Reasonableness check on count values.
|
|
- * Catches nasty stuff like negative or zero counts, which would cause
|
|
- * integer underflows in strtaglen().
|
|
+ * Most types have further restrictions, these are just the outer perimeter.
|
|
*/
|
|
-#define hdrchkCount(_count) ((_count) == 0)
|
|
+#define hdrchkCount(_dl, _count) ((_count) < 1 || (_count) > (_dl))
|
|
|
|
/**
|
|
* Sanity check on type values.
|
|
@@ -287,7 +286,7 @@ static rpmRC hdrblobVerifyInfo(hdrblob blob, char **emsg)
|
|
goto err;
|
|
if (hdrchkType(info.type))
|
|
goto err;
|
|
- if (hdrchkCount(info.count))
|
|
+ if (hdrchkCount(blob->dl, info.count))
|
|
goto err;
|
|
if (hdrchkAlign(info.type, info.offset))
|
|
goto err;
|
|
--
|
|
2.27.0
|
|
|