diff options
author | Demi Marie Obenour <demiobenour@gmail.com> | 2021-01-13 15:54:17 -0500 |
---|---|---|
committer | Panu Matilainen <pmatilai@redhat.com> | 2021-03-22 12:04:27 +0200 |
commit | 184f1eca8b5c20e51b14b3e895b5bf09bfc70562 (patch) | |
tree | 8656e4d27620de954f884ac9fefbe9bd0849a628 | |
parent | 4fc8e87e31481d66fba9c43c5ef24b5328626bae (diff) | |
download | rpm-184f1eca8b5c20e51b14b3e895b5bf09bfc70562.tar.gz |
Tag data must have count greater than zero
Zero counts are invalid, and they cause problems elsewhere. For
instance, strtaglen() will suffer an integer underflow.
(cherry picked from commit 5e40166380a450a36b302914be60fd004624f724)
-rw-r--r-- | lib/header.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/lib/header.c b/lib/header.c index 6e7b6b436..e423ad172 100644 --- a/lib/header.c +++ b/lib/header.c @@ -129,6 +129,13 @@ static const size_t headerMaxbytes = (256*1024*1024); #define hdrchkTag(_tag) ((_tag) < HEADER_I18NTABLE) /** + * Reasonableness check on count values. + * Catches nasty stuff like negative or zero counts, which would cause + * integer underflows in strtaglen(). + */ +#define hdrchkCount(_count) ((_count) == 0) + +/** * Sanity check on type values. */ #define hdrchkType(_type) ((_type) < RPM_MIN_TYPE || (_type) > RPM_MAX_TYPE) @@ -279,6 +286,8 @@ static rpmRC hdrblobVerifyInfo(hdrblob blob, char **emsg) goto err; if (hdrchkType(info.type)) goto err; + if (hdrchkCount(info.count)) + goto err; if (hdrchkAlign(info.type, info.offset)) goto err; if (hdrchkRange(blob->dl, info.offset)) |