From 98be44d9f017955c3703a7f3b42b379a790f36b0 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Thu, 18 Mar 2021 10:39:38 +0200
Subject: Better sanity check for header entry counts

The count can never be larger than header data size, which can never be
larger than 256MB. Most datatypes have further restrictions of course, this
is merely an outer perimeter check to catch impossibly large values that
could otherwise overflow all manner of trivial calculations.

Addresses the point I missed in PR #1493 but with a much tighter limit.

(cherry picked from commit d8fbddfa5051bdc1c71e16cb11f14d9fdc7f5c5e)
---
 lib/header.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/lib/header.c b/lib/header.c
index e7b35d928..3bb7ed88a 100644
--- a/lib/header.c
+++ b/lib/header.c
@@ -131,10 +131,9 @@ static const size_t headerMaxbytes = (256*1024*1024);
 
 /**
  * Reasonableness check on count values.
- * Catches nasty stuff like negative or zero counts, which would cause
- * integer underflows in strtaglen().
+ * Most types have further restrictions, these are just the outer perimeter.
  */
-#define hdrchkCount(_count) ((_count) == 0)
+#define hdrchkCount(_dl, _count) ((_count) < 1 || (_count) > (_dl))
 
 /**
  * Sanity check on type values.
@@ -287,7 +286,7 @@ static rpmRC hdrblobVerifyInfo(hdrblob blob, char **emsg)
 	    goto err;
 	if (hdrchkType(info.type))
 	    goto err;
-	if (hdrchkCount(info.count))
+	if (hdrchkCount(blob->dl, info.count))
 	    goto err;
 	if (hdrchkAlign(info.type, info.offset))
 	    goto err;
-- 
cgit v1.2.1