diff options
author | Panu Matilainen <pmatilai@redhat.com> | 2016-10-19 17:15:42 +0300 |
---|---|---|
committer | Panu Matilainen <pmatilai@redhat.com> | 2016-11-02 10:41:53 +0200 |
commit | a0a24884d9c8c54ae37b8912067179b7e04b4bbf (patch) | |
tree | f7a14f86ad67df00a02433460f17fbd87e5aeff2 | |
parent | 489769fea8ddbe187be92bc5b247c211a3bb065d (diff) | |
download | rpm-a0a24884d9c8c54ae37b8912067179b7e04b4bbf.tar.gz |
Avoid going past header data area when validating SHA1 header digest
A malformed header with no zeros in it could've easily walked off the
edge of the world here. That it happens while trying to validate the
tag data content is the height of embarrasment of sorts.
(cherry picked from commit d8bfe732572e8295015a372348dd13bdecb40f8c)
-rw-r--r-- | lib/package.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/package.c b/lib/package.c index 890816a2f..1ca4630d5 100644 --- a/lib/package.c +++ b/lib/package.c @@ -190,10 +190,11 @@ static rpmRC headerSigVerify(rpmKeyring keyring, rpmVSFlags vsflags, switch (einfo.tag) { case RPMTAG_SHA1HEADER: { size_t blen = 0; - unsigned const char * b; + unsigned const char * b = dataStart + einfo.offset; + unsigned const char * e = dataStart + dl; if (vsflags & RPMVSF_NOSHA1HEADER) break; - for (b = dataStart + einfo.offset; *b != '\0'; b++) { + for (; b < e && *b != '\0'; b++) { if (strchr("0123456789abcdefABCDEF", *b) == NULL) break; blen++; |