Blame rpm-4.8.x-cve-2011-3378.patch
|
|
b678823 |
diff --git a/lib/header.c b/lib/header.c
|
|
|
b678823 |
index 2d68854..536aa89 100644
|
|
|
b678823 |
--- a/lib/header.c
|
|
|
b678823 |
+++ b/lib/header.c
|
|
|
b678823 |
@@ -358,6 +358,9 @@ static int regionSwab(indexEntry entry, int il, int dl,
|
|
|
b678823 |
const unsigned char * dataEnd,
|
|
|
b678823 |
int regionid)
|
|
|
b678823 |
{
|
|
|
b678823 |
+ if ((entry != NULL && regionid >= 0) || (entry == NULL && regionid != 0))
|
|
|
b678823 |
+ return -1;
|
|
|
b678823 |
+
|
|
|
b678823 |
for (; il > 0; il--, pe++) {
|
|
|
b678823 |
struct indexEntry_s ie;
|
|
|
b678823 |
rpmTagType type;
|
|
|
b678823 |
@@ -822,7 +825,7 @@ Header headerLoad(void * uh)
|
|
|
b678823 |
|
|
|
b678823 |
{ int off = ntohl(pe->offset);
|
|
|
b678823 |
|
|
|
b678823 |
- if (hdrchkData(off))
|
|
|
b678823 |
+ if (hdrchkData(off) || hdrchkRange(dl, off))
|
|
|
b678823 |
goto errxit;
|
|
|
b678823 |
if (off) {
|
|
|
b678823 |
size_t nb = REGION_TAG_COUNT;
|