--- rpm-4.4.8/lib/rpmds.c.pix 2007-01-21 20:47:20.000000000 +0100 +++ rpm-4.4.8/lib/rpmds.c 2007-08-21 17:30:41.000000000 +0200 @@ -249,6 +249,7 @@ assert(scareMem == 0); /* XXX always al && N != NULL && Count > 0) { int xx; + int_32 CountEVR, CountF; ds = xcalloc(1, sizeof(*ds)); ds->Type = Type; @@ -262,9 +263,9 @@ assert(scareMem == 0); /* XXX always al ds->nopromote = _rpmds_nopromote; if (tagEVR > 0) - xx = hge(h, tagEVR, &ds->EVRt, (void **) &ds->EVR, NULL); + xx = hge(h, tagEVR, &ds->EVRt, (void **) &ds->EVR, &CountEVR); if (tagF > 0) - xx = hge(h, tagF, &ds->Ft, (void **) &ds->Flags, NULL); + xx = hge(h, tagF, &ds->Ft, (void **) &ds->Flags, &CountF); /*@-boundsread@*/ if (!scareMem && ds->Flags != NULL) ds->Flags = memcpy(xmalloc(ds->Count * sizeof(*ds->Flags)), @@ -295,6 +296,8 @@ assert(scareMem == 0); /* XXX always al } } else if (tagN == RPMTAG_FILELINKTOS) { + if (Count > CountF) Count = CountF; + /* XXX Construct the absolute path of the target symlink(s). */ const char ** av = xcalloc(Count+1, sizeof(*av)); int i; @@ -304,7 +307,7 @@ assert(scareMem == 0); /* XXX always al av[i] = xstrdup(""); else if (*N[i] == '/') av[i] = xstrdup(N[i]); - else if (ds->EVR && ds->Flags) + else if (ds->EVR && ds->Flags && ds->Flags[i] >= 0 && ds->Flags[i] < CountEVR) /*@-nullderef@*/ /* XXX ds->Flags != NULL */ av[i] = rpmGenPath(NULL, ds->EVR[ds->Flags[i]], N[i]); /*@=nullderef@*/