Eliminate remaining uses of unsafe headerCopyLoad() in the codebase

There's no way to safely validate an object to which only a void
pointer is given. Use headerImport() and pass a size to make
verification possible, headerCopyLoad() has been long deprecated anyway.

(cherry picked from commit 07858c0d60cb3d19f977aed14842fd7fbf66528f)

2 files changed, 5 insertions, 2 deletions

diff --git a/python/header-py.c b/python/header-py.c
index af7d33d0a..7750c37d6 100644
--- a/python/header-py.c
+++ b/python/header-py.c
@@ -381,7 +381,10 @@ static PyObject *hdr_new(PyTypeObject *subtype, PyObject *args, PyObject *kwds)
     } else if (hdrObject_Check(obj)) {
 	h = headerCopy(((hdrObject*) obj)->h);
     } else if (PyBytes_Check(obj)) {
-	h = headerCopyLoad(PyBytes_AsString(obj));
+	Py_ssize_t len = 0;
+	char *blob = NULL;
+	if (PyBytes_AsStringAndSize(obj, &blob, &len) == 0)
+	    h = headerImport(blob, len, HEADERIMPORT_COPY);
     } else if (rpmfdFromPyObject(obj, &fdo)) {
 	Py_BEGIN_ALLOW_THREADS;
 	h = headerRead(rpmfdGetFd(fdo), HEADER_MAGIC_YES);
diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
index 3eecdb7fa..e5d191cc0 100644
--- a/sign/rpmgensig.c
+++ b/sign/rpmgensig.c
@@ -402,7 +402,7 @@ static void unloadImmutableRegion(Header *hdrp, rpmTagVal tag)
     Header oh = NULL;
 
     if (headerGet(*hdrp, tag, &td, HEADERGET_DEFAULT)) {
-	oh = headerCopyLoad(td.data);
+	oh = headerImport(td.data, td.count, HEADERIMPORT_COPY);
 	rpmtdFreeData(&td);
     } else {
 	/* XXX should we warn if the immutable region is corrupt/missing? */