42 lines
1.2 KiB
Diff
42 lines
1.2 KiB
Diff
From 5e40166380a450a36b302914be60fd004624f724 Mon Sep 17 00:00:00 2001
|
|
From: Demi Marie Obenour <demiobenour@gmail.com>
|
|
Date: Wed, 13 Jan 2021 15:54:17 -0500
|
|
Subject: [PATCH] Tag data must have count greater than zero
|
|
|
|
Zero counts are invalid, and they cause problems elsewhere. For
|
|
instance, strtaglen() will suffer an integer underflow.
|
|
---
|
|
lib/header.c | 9 +++++++++
|
|
1 file changed, 9 insertions(+)
|
|
|
|
diff --git a/lib/header.c b/lib/header.c
|
|
index fc52c3178..41c2da94f 100644
|
|
--- a/lib/header.c
|
|
+++ b/lib/header.c
|
|
@@ -128,6 +128,13 @@ static const size_t headerMaxbytes = (256*1024*1024);
|
|
**/
|
|
#define hdrchkTag(_tag) ((_tag) < HEADER_I18NTABLE)
|
|
|
|
+/**
|
|
+ * Reasonableness check on count values.
|
|
+ * Catches nasty stuff like negative or zero counts, which would cause
|
|
+ * integer underflows in strtaglen().
|
|
+ */
|
|
+#define hdrchkCount(_count) ((_count) == 0)
|
|
+
|
|
/**
|
|
* Sanity check on type values.
|
|
*/
|
|
@@ -279,6 +286,8 @@ static rpmRC hdrblobVerifyInfo(hdrblob blob, char **emsg)
|
|
goto err;
|
|
if (hdrchkType(info.type))
|
|
goto err;
|
|
+ if (hdrchkCount(info.count))
|
|
+ goto err;
|
|
if (hdrchkAlign(info.type, info.offset))
|
|
goto err;
|
|
if (hdrchkRange(blob->dl, info.offset))
|
|
--
|
|
2.27.0
|
|
|