diff -up rpm-4.8.0/lib/header.c.header-sanity rpm-4.8.0/lib/header.c
--- rpm-4.8.0/lib/header.c.header-sanity	2009-12-07 15:36:49.000000000 +0100
+++ rpm-4.8.0/lib/header.c	2011-09-29 12:28:27.093307782 +0200
@@ -358,6 +358,8 @@ static int regionSwab(indexEntry entry,
 		const unsigned char * dataEnd,
 		int regionid)
 {
+    if (regionid > 0)
+	return -1;
     for (; il > 0; il--, pe++) {
 	struct indexEntry_s ie;
 	rpmTagType type;
@@ -827,6 +829,8 @@ Header headerLoad(void * uh)
 	    if (off) {
 		size_t nb = REGION_TAG_COUNT;
 		int32_t stei[nb];
+		if (dataStart + off + nb > dataEnd)
+		    goto errxit;
 		/* XXX Hmm, why the copy? */
 		memcpy(&stei, dataStart + off, nb);
 		rdl = -ntohl(stei[2]);	/* negative offset */