http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=e4eab2bc6d07cfd33f740071de7ddbb2fe2f4190
http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=f23998251992b8ae25faf5113c42fee2c49c7f29
diff -Naurp rpm-4.6.0/lib/header.c rpm-4.6.0.oden/lib/header.c
--- rpm-4.6.0/lib/header.c 2012-04-04 14:10:47.000000000 +0000
+++ rpm-4.6.0.oden/lib/header.c 2012-04-04 14:10:10.000000000 +0000
@@ -899,10 +899,13 @@ Header headerLoad(void * uh)
entry->info.type = htonl(pe->type);
entry->info.count = htonl(pe->count);
+ entry->info.tag = htonl(pe->tag);
- if (hdrchkType(entry->info.type))
+ if (!ENTRY_IS_REGION(entry))
goto errxit;
- if (hdrchkTags(entry->info.count))
+ if (entry->info.type != REGION_TAG_TYPE)
+ goto errxit;
+ if (entry->info.count != REGION_TAG_COUNT)
goto errxit;
{ int off = ntohl(pe->offset);
@@ -918,7 +921,6 @@ Header headerLoad(void * uh)
ril = rdl/sizeof(*pe);
if (hdrchkTags(ril) || hdrchkData(rdl))
goto errxit;
- entry->info.tag = htonl(pe->tag);
} else {
ril = il;
rdl = (ril * sizeof(struct entryInfo_s));
diff -Naurp rpm-4.6.0/lib/package.c rpm-4.6.0.oden/lib/package.c
--- rpm-4.6.0/lib/package.c 2009-01-30 07:23:19.000000000 +0000
+++ rpm-4.6.0.oden/lib/package.c 2012-04-04 14:10:16.000000000 +0000
@@ -254,16 +254,23 @@ rpmRC headerCheck(rpmts ts, const void *
}
/* Is there an immutable header region tag? */
- if (!(entry.info.tag == RPMTAG_HEADERIMMUTABLE
- && entry.info.type == RPM_BIN_TYPE
- && entry.info.count == REGION_TAG_COUNT))
- {
+ if (!(entry.info.tag == RPMTAG_HEADERIMMUTABLE)) {
rc = RPMRC_NOTFOUND;
goto exit;
}
- /* Is the offset within the data area? */
- if (entry.info.offset >= dl) {
+ /* Is the region tag sane? */
+ if (!(entry.info.type == REGION_TAG_TYPE &&
+ entry.info.count == REGION_TAG_COUNT)) {
+ rasprintf(&buf,
+ _("region tag: BAD, tag %d type %d offset %d count %d\n"),
+ entry.info.tag, entry.info.type,
+ entry.info.offset, entry.info.count);
+ goto exit;
+ }
+
+ /* Is the trailer within the data area? */
+ if (entry.info.offset + REGION_TAG_COUNT > dl) {
rasprintf(&buf,
_("region offset: BAD, tag %d type %d offset %d count %d\n"),
entry.info.tag, entry.info.type,
@@ -279,7 +286,7 @@ rpmRC headerCheck(rpmts ts, const void *
xx = headerVerifyInfo(1, dl, &info, &entry.info, 1);
if (xx != -1 ||
!(entry.info.tag == RPMTAG_HEADERIMMUTABLE
- && entry.info.type == RPM_BIN_TYPE
+ && entry.info.type == REGION_TAG_TYPE
&& entry.info.count == REGION_TAG_COUNT))
{
rasprintf(&buf,
diff -Naurp rpm-4.6.0/lib/signature.c rpm-4.6.0.oden/lib/signature.c
--- rpm-4.6.0/lib/signature.c 2008-11-19 12:13:13.000000000 +0000
+++ rpm-4.6.0.oden/lib/signature.c 2012-04-04 14:10:16.000000000 +0000
@@ -216,12 +216,19 @@ rpmRC rpmReadSignature(FD_t fd, Header *
}
/* Is there an immutable header region tag? */
- if (entry.info.tag == RPMTAG_HEADERSIGNATURES
- && entry.info.type == RPM_BIN_TYPE
- && entry.info.count == REGION_TAG_COUNT)
- {
-
- if (entry.info.offset >= dl) {
+ if (entry.info.tag == RPMTAG_HEADERSIGNATURES) {
+ /* Is the region tag sane? */
+ if (!(entry.info.type == REGION_TAG_TYPE &&
+ entry.info.count == REGION_TAG_COUNT)) {
+ rasprintf(&buf,
+ _("region tag: BAD, tag %d type %d offset %d count %d\n"),
+ entry.info.tag, entry.info.type,
+ entry.info.offset, entry.info.count);
+ goto exit;
+ }
+
+ /* Is the trailer within the data area? */
+ if (entry.info.offset + REGION_TAG_COUNT > dl) {
rasprintf(&buf,
_("region offset: BAD, tag %d type %d offset %d count %d\n"),
entry.info.tag, entry.info.type,
@@ -243,7 +250,7 @@ rpmRC rpmReadSignature(FD_t fd, Header *
xx = headerVerifyInfo(1, dl, &info, &entry.info, 1);
if (xx != -1 ||
!((entry.info.tag == RPMTAG_HEADERSIGNATURES || entry.info.tag == RPMTAG_HEADERIMAGE)
- && entry.info.type == RPM_BIN_TYPE
+ && entry.info.type == REGION_TAG_TYPE
&& entry.info.count == REGION_TAG_COUNT))
{
rasprintf(&buf,
distrib
>
Mandriva
>
2010.1
>
x86_64
>
media
>
main-updates-src
>
by-pkgid
>
dec4e1edeef36e7485e13bf42f1af5da
>
files
>
12
