diff options
| author | Panu Matilainen <pmatilai@redhat.com> | 2021-03-18 10:39:38 +0200 |
|---|---|---|
| committer | Panu Matilainen <pmatilai@redhat.com> | 2021-03-22 12:12:12 +0200 |
| commit | 3b584571af96dccb0c3c79ea492f5f1130303353 (patch) | |
| tree | ac357c0a2e7e411b006654d5bd68b377d9a991f9 | |
| parent | 6e5ae90c64517bb70333955db0a7a5a3ca7be798 (diff) | |
| download | rpm-3b584571af96dccb0c3c79ea492f5f1130303353.tar.gz | |
Better sanity check for header entry counts
The count can never be larger than header data size, which can never be
larger than 256MB. Most datatypes have further restrictions of course, this
is merely an outer perimeter check to catch impossibly large values that
could otherwise overflow all manner of trivial calculations.
Addresses the point I missed in PR #1493 but with a much tighter limit.
(cherry picked from commit d8fbddfa5051bdc1c71e16cb11f14d9fdc7f5c5e)
| -rw-r--r-- | lib/header.c | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/lib/header.c b/lib/header.c index 46ded5dd9..d1a3d7e08 100644 --- a/lib/header.c +++ b/lib/header.c @@ -137,10 +137,9 @@ static const size_t headerMaxbytes = (256*1024*1024); /** * Reasonableness check on count values. - * Catches nasty stuff like negative or zero counts, which would cause - * integer underflows in strtaglen(). + * Most types have further restrictions, these are just the outer perimeter. */ -#define hdrchkCount(_count) ((_count) == 0) +#define hdrchkCount(_dl, _count) ((_count) < 1 || (_count) > (_dl)) /** * Sanity check on type values. @@ -293,7 +292,7 @@ static rpmRC hdrblobVerifyInfo(hdrblob blob, char **emsg) goto err; if (hdrchkType(info.type)) goto err; - if (hdrchkCount(info.count)) + if (hdrchkCount(blob->dl, info.count)) goto err; if (hdrchkAlign(info.type, info.offset)) goto err; |