diff options
| author | Panu Matilainen <pmatilai@redhat.com> | 2011-09-29 12:50:57 +0300 |
|---|---|---|
| committer | Panu Matilainen <pmatilai@redhat.com> | 2011-09-29 14:38:43 +0300 |
| commit | ad55f854320437859fb6580608687f120f6875fc (patch) | |
| tree | 1770b7d5618e662f8a5e5c33ac79e935eb2a7d25 | |
| parent | 36f6874fcf5222f4553fb5b7782af18c7b6ea92a (diff) | |
| download | rpm-ad55f854320437859fb6580608687f120f6875fc.tar.gz | |
Sanity check region offset in regionSwab()
- Region offsets are supposed to be negative when when an entry
is involved, otherwise zero. Fixes some cases of crash'n'burn on
malformed headers having bogus offsets (CVE-2011-3378)
(cherry picked from commit 11a7e5d95a8ca8c7d4eaff179094afd8bb74fc3f)
| -rw-r--r-- | lib/header.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/header.c b/lib/header.c index a1bfe38ed..4f80cb3a6 100644 --- a/lib/header.c +++ b/lib/header.c @@ -387,6 +387,9 @@ static int regionSwab(indexEntry entry, int il, int dl, const unsigned char * dataEnd, int regionid) { + if ((entry != NULL && regionid >= 0) || (entry == NULL && regionid != 0)) + return -1; + for (; il > 0; il--, pe++) { struct indexEntry_s ie; rpm_tagtype_t type; |