From 691af1073e76dfd07fde690093de7dcf066d4914 Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Wed, 13 Jan 2021 15:54:17 -0500
Subject: Tag data must have count greater than zero

Zero counts are invalid, and they cause problems elsewhere.  For
instance, strtaglen() will suffer an integer underflow.

(cherry picked from commit 5e40166380a450a36b302914be60fd004624f724)
---
 lib/header.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/lib/header.c b/lib/header.c
index 1256e652c..dd5d569e6 100644
--- a/lib/header.c
+++ b/lib/header.c
@@ -134,6 +134,13 @@ static const size_t headerMaxbytes = (256*1024*1024);
  **/
 #define hdrchkTag(_tag) ((_tag) < HEADER_I18NTABLE)
 
+/**
+ * Reasonableness check on count values.
+ * Catches nasty stuff like negative or zero counts, which would cause
+ * integer underflows in strtaglen().
+ */
+#define hdrchkCount(_count) ((_count) == 0)
+
 /**
  * Sanity check on type values.
  */
@@ -285,6 +292,8 @@ static rpmRC hdrblobVerifyInfo(hdrblob blob, char **emsg)
 	    goto err;
 	if (hdrchkType(info.type))
 	    goto err;
+	if (hdrchkCount(info.count))
+	    goto err;
 	if (hdrchkAlign(info.type, info.offset))
 	    goto err;
 	if (hdrchkRange(blob->dl, info.offset))
-- 
cgit v1.2.1