Avoid going past header data area when validating SHA1 header digest

A malformed header with no zeros in it could've easily walked off the edge of the world here. That it happens while trying to validate the tag data content is the height of embarrasment of sorts. (cherry picked from commit d8bfe732572e8295015a372348dd13bdecb40f8c)
author: Panu Matilainen <pmatilai@redhat.com> 2016-10-19 17:15:42 +0300
committer: Panu Matilainen <pmatilai@redhat.com> 2016-11-02 10:41:53 +0200
commit: a0a24884d9c8c54ae37b8912067179b7e04b4bbf (patch)
tree: f7a14f86ad67df00a02433460f17fbd87e5aeff2
parent: 489769fea8ddbe187be92bc5b247c211a3bb065d (diff)
download: rpm-a0a24884d9c8c54ae37b8912067179b7e04b4bbf.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/package.c b/lib/package.c
index 890816a2f..1ca4630d5 100644
--- a/lib/package.c
+++ b/lib/package.c
@@ -190,10 +190,11 @@ static rpmRC headerSigVerify(rpmKeyring keyring, rpmVSFlags vsflags,
 	switch (einfo.tag) {
 	case RPMTAG_SHA1HEADER: {
 	    size_t blen = 0;
-	    unsigned const char * b;
+	    unsigned const char * b = dataStart + einfo.offset;
+	    unsigned const char * e = dataStart + dl;
 	    if (vsflags & RPMVSF_NOSHA1HEADER)
 		break;
-	    for (b = dataStart + einfo.offset; *b != '\0'; b++) {
+	    for (; b < e && *b != '\0'; b++) {
 		if (strchr("0123456789abcdefABCDEF", *b) == NULL)
 		    break;
 		blen++;
author	Panu Matilainen <pmatilai@redhat.com>	2016-10-19 17:15:42 +0300
committer	Panu Matilainen <pmatilai@redhat.com>	2016-11-02 10:41:53 +0200
commit	a0a24884d9c8c54ae37b8912067179b7e04b4bbf (patch)
tree	f7a14f86ad67df00a02433460f17fbd87e5aeff2
parent	489769fea8ddbe187be92bc5b247c211a3bb065d (diff)
download	rpm-a0a24884d9c8c54ae37b8912067179b7e04b4bbf.tar.gz