From 3b584571af96dccb0c3c79ea492f5f1130303353 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Thu, 18 Mar 2021 10:39:38 +0200
Subject: Better sanity check for header entry counts

The count can never be larger than header data size, which can never be
larger than 256MB. Most datatypes have further restrictions of course, this
is merely an outer perimeter check to catch impossibly large values that
could otherwise overflow all manner of trivial calculations.

Addresses the point I missed in PR #1493 but with a much tighter limit.

(cherry picked from commit d8fbddfa5051bdc1c71e16cb11f14d9fdc7f5c5e)
---
 lib/header.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/lib/header.c b/lib/header.c
index 46ded5dd9..d1a3d7e08 100644
--- a/lib/header.c
+++ b/lib/header.c
@@ -137,10 +137,9 @@ static const size_t headerMaxbytes = (256*1024*1024);
 
 /**
  * Reasonableness check on count values.
- * Catches nasty stuff like negative or zero counts, which would cause
- * integer underflows in strtaglen().
+ * Most types have further restrictions, these are just the outer perimeter.
  */
-#define hdrchkCount(_count) ((_count) == 0)
+#define hdrchkCount(_dl, _count) ((_count) < 1 || (_count) > (_dl))
 
 /**
  * Sanity check on type values.
@@ -293,7 +292,7 @@ static rpmRC hdrblobVerifyInfo(hdrblob blob, char **emsg)
 	    goto err;
 	if (hdrchkType(info.type))
 	    goto err;
-	if (hdrchkCount(info.count))
+	if (hdrchkCount(blob->dl, info.count))
 	    goto err;
 	if (hdrchkAlign(info.type, info.offset))
 	    goto err;
-- 
cgit v1.2.1