Tag data must have count greater than zero

Zero counts are invalid, and they cause problems elsewhere. For instance, strtaglen() will suffer an integer underflow. (cherry picked from commit 5e40166380a450a36b302914be60fd004624f724)
author: Demi Marie Obenour <demiobenour@gmail.com> 2021-01-13 15:54:17 -0500
committer: Panu Matilainen <pmatilai@redhat.com> 2021-03-22 12:12:12 +0200
commit: 691af1073e76dfd07fde690093de7dcf066d4914 (patch)
tree: 14cb45969b7a2a9799f57ad05f13bf03dab7c1cd
parent: 55f569e363d124667a8dc49ae2ec555ebf283370 (diff)
download: rpm-691af1073e76dfd07fde690093de7dcf066d4914.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/lib/header.c b/lib/header.c
index 1256e652c..dd5d569e6 100644
--- a/lib/header.c
+++ b/lib/header.c
@@ -135,6 +135,13 @@ static const size_t headerMaxbytes = (256*1024*1024);
 #define hdrchkTag(_tag) ((_tag) < HEADER_I18NTABLE)
 
 /**
+ * Reasonableness check on count values.
+ * Catches nasty stuff like negative or zero counts, which would cause
+ * integer underflows in strtaglen().
+ */
+#define hdrchkCount(_count) ((_count) == 0)
+
+/**
  * Sanity check on type values.
  */
 #define hdrchkType(_type) ((_type) < RPM_MIN_TYPE || (_type) > RPM_MAX_TYPE)
@@ -285,6 +292,8 @@ static rpmRC hdrblobVerifyInfo(hdrblob blob, char **emsg)
 	    goto err;
 	if (hdrchkType(info.type))
 	    goto err;
+	if (hdrchkCount(info.count))
+	    goto err;
 	if (hdrchkAlign(info.type, info.offset))
 	    goto err;
 	if (hdrchkRange(blob->dl, info.offset))
author	Demi Marie Obenour <demiobenour@gmail.com>	2021-01-13 15:54:17 -0500
committer	Panu Matilainen <pmatilai@redhat.com>	2021-03-22 12:12:12 +0200
commit	691af1073e76dfd07fde690093de7dcf066d4914 (patch)
tree	14cb45969b7a2a9799f57ad05f13bf03dab7c1cd
parent	55f569e363d124667a8dc49ae2ec555ebf283370 (diff)
download	rpm-691af1073e76dfd07fde690093de7dcf066d4914.tar.gz