diff options
author | Demi Marie Obenour <demiobenour@gmail.com> | 2021-01-13 15:54:17 -0500 |
---|---|---|
committer | Panu Matilainen <pmatilai@redhat.com> | 2021-03-22 12:12:12 +0200 |
commit | 691af1073e76dfd07fde690093de7dcf066d4914 (patch) | |
tree | 14cb45969b7a2a9799f57ad05f13bf03dab7c1cd | |
parent | 55f569e363d124667a8dc49ae2ec555ebf283370 (diff) | |
download | rpm-691af1073e76dfd07fde690093de7dcf066d4914.tar.gz |
Tag data must have count greater than zero
Zero counts are invalid, and they cause problems elsewhere. For
instance, strtaglen() will suffer an integer underflow.
(cherry picked from commit 5e40166380a450a36b302914be60fd004624f724)
-rw-r--r-- | lib/header.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/lib/header.c b/lib/header.c index 1256e652c..dd5d569e6 100644 --- a/lib/header.c +++ b/lib/header.c @@ -135,6 +135,13 @@ static const size_t headerMaxbytes = (256*1024*1024); #define hdrchkTag(_tag) ((_tag) < HEADER_I18NTABLE) /** + * Reasonableness check on count values. + * Catches nasty stuff like negative or zero counts, which would cause + * integer underflows in strtaglen(). + */ +#define hdrchkCount(_count) ((_count) == 0) + +/** * Sanity check on type values. */ #define hdrchkType(_type) ((_type) < RPM_MIN_TYPE || (_type) > RPM_MAX_TYPE) @@ -285,6 +292,8 @@ static rpmRC hdrblobVerifyInfo(hdrblob blob, char **emsg) goto err; if (hdrchkType(info.type)) goto err; + if (hdrchkCount(info.count)) + goto err; if (hdrchkAlign(info.type, info.offset)) goto err; if (hdrchkRange(blob->dl, info.offset)) |