http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=472e569562d4c90d7a298080e0052856aa7fa86b http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=11a7e5d95a8ca8c7d4eaff179094afd8bb74fc3f http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=a48f0e20cbe2ababc88b2fc52fb7a281d6fc1656 http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=30635dd4330a192fa2b6e202a0e2490eba599a93 diff -Naurp rpm-4.6.0/lib/header.c rpm-4.6.0.oden/lib/header.c --- rpm-4.6.0/lib/header.c 2011-10-05 12:38:32.000000000 +0000 +++ rpm-4.6.0.oden/lib/header.c 2011-10-05 13:00:55.000000000 +0000 @@ -379,6 +379,10 @@ static int regionSwab(indexEntry entry, struct indexEntry_s ieprev; memset(&ieprev, 0, sizeof(ieprev)); + + if ((entry != NULL && regionid >= 0) || (entry == NULL && regionid != 0)) + return -1; + for (; il > 0; il--, pe++) { struct indexEntry_s ie; rpmTagType type; @@ -903,7 +907,7 @@ Header headerLoad(void * uh) { int off = ntohl(pe->offset); - if (hdrchkData(off)) + if (hdrchkData(off) || hdrchkRange(dl, off)) goto errxit; if (off) { size_t nb = REGION_TAG_COUNT; @@ -962,6 +966,11 @@ Header headerLoad(void * uh) h->indexUsed += ne; } } + + rdlen += REGION_TAG_COUNT; + /* XXX should be equality test, but dribbles are sometimes a bit off? */ + if (rdlen > dl || (rdlen < dl && ril == h->indexUsed)) + goto errxit; } h->flags &= ~HEADERFLAG_SORTED; diff -Naurp rpm-4.6.0/rpmio/rpmpgp.c rpm-4.6.0.oden/rpmio/rpmpgp.c --- rpm-4.6.0/rpmio/rpmpgp.c 2009-01-08 11:34:38.000000000 +0000 +++ rpm-4.6.0.oden/rpmio/rpmpgp.c 2011-10-05 12:49:41.000000000 +0000 @@ -470,6 +470,9 @@ static int pgpPrtSubType(const uint8_t * while (hlen > 0) { i = pgpLen(p, &plen); + if (i + plen > hlen) + break; + p += i; hlen -= i; @@ -552,7 +555,7 @@ static int pgpPrtSubType(const uint8_t * p += plen; hlen -= plen; } - return 0; + return (hlen != 0); /* non-zero hlen is an error */ } static const char * const pgpSigRSA[] = { @@ -711,7 +714,8 @@ fprintf(stderr, " hash[%zu] -- %s\n", _digp->hashlen = sizeof(*v) + plen; _digp->hash = memcpy(xmalloc(_digp->hashlen), v, _digp->hashlen); } - (void) pgpPrtSubType(p, plen, v->sigtype, _digp); + if (pgpPrtSubType(p, plen, v->sigtype, _digp)) + return 1; p += plen; plen = pgpGrab(p,2); @@ -722,7 +726,8 @@ fprintf(stderr, " hash[%zu] -- %s\n", if (_debug && _print) fprintf(stderr, " unhash[%zu] -- %s\n", plen, pgpHexStr(p, plen)); - (void) pgpPrtSubType(p, plen, v->sigtype, _digp); + if (pgpPrtSubType(p, plen, v->sigtype, _digp)) + return 1; p += plen; plen = pgpGrab(p,2);