From 9c36ca411332d2718eca339e867561c39abc256b Mon Sep 17 00:00:00 2001
From: Lubos Kardos <lkardos@redhat.com>
Date: Fri, 6 Nov 2015 14:49:59 +0100
Subject: [PATCH] Fix crash when parsing corrupted RPM file (rhbz:1273360)

---
 lib/legacy.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/lib/legacy.c b/lib/legacy.c
index 422c2b0..8ba7bbd 100644
--- a/lib/legacy.c
+++ b/lib/legacy.c
@@ -25,7 +25,7 @@ static void compressFilelist(Header h)
     char ** dirNames;
     const char ** baseNames;
     uint32_t * dirIndexes;
-    rpm_count_t count;
+    rpm_count_t count, realCount = 0;
     int i;
     int dirIndex = -1;
 
@@ -58,6 +58,7 @@ static void compressFilelist(Header h)
 	    while ((i = rpmtdNext(&fileNames)) >= 0) {
 		dirIndexes[i] = dirIndex;
 		baseNames[i] = rpmtdGetString(&fileNames);
+		realCount++;
 	    }
 	    goto exit;
 	}
@@ -87,19 +88,20 @@ static void compressFilelist(Header h)
 	    (needle = bsearch(&filename, dirNames, dirIndex + 1, sizeof(dirNames[0]), dncmp)) == NULL) {
 	    char *s = xmalloc(len + 1);
 	    rstrlcpy(s, filename, len + 1);
-	    dirIndexes[i] = ++dirIndex;
+	    dirIndexes[realCount] = ++dirIndex;
 	    dirNames[dirIndex] = s;
 	} else
-	    dirIndexes[i] = needle - dirNames;
+	    dirIndexes[realCount] = needle - dirNames;
 
 	*baseName = savechar;
-	baseNames[i] = baseName;
+	baseNames[realCount] = baseName;
+	realCount++;
     }
 
 exit:
     if (count > 0) {
-	headerPutUint32(h, RPMTAG_DIRINDEXES, dirIndexes, count);
-	headerPutStringArray(h, RPMTAG_BASENAMES, baseNames, count);
+	headerPutUint32(h, RPMTAG_DIRINDEXES, dirIndexes, realCount);
+	headerPutStringArray(h, RPMTAG_BASENAMES, baseNames, realCount);
 	headerPutStringArray(h, RPMTAG_DIRNAMES, 
 			     (const char **) dirNames, dirIndex + 1);
     }
-- 
1.9.3