22 lines
736 B
Diff
22 lines
736 B
Diff
diff -up rpm-4.8.0/lib/header.c.header-sanity rpm-4.8.0/lib/header.c
|
|
--- rpm-4.8.0/lib/header.c.header-sanity 2009-12-07 15:36:49.000000000 +0100
|
|
+++ rpm-4.8.0/lib/header.c 2011-09-29 12:28:27.093307782 +0200
|
|
@@ -358,6 +358,8 @@ static int regionSwab(indexEntry entry,
|
|
const unsigned char * dataEnd,
|
|
int regionid)
|
|
{
|
|
+ if (regionid > 0)
|
|
+ return -1;
|
|
for (; il > 0; il--, pe++) {
|
|
struct indexEntry_s ie;
|
|
rpmTagType type;
|
|
@@ -827,6 +829,8 @@ Header headerLoad(void * uh)
|
|
if (off) {
|
|
size_t nb = REGION_TAG_COUNT;
|
|
int32_t stei[nb];
|
|
+ if (dataStart + off + nb > dataEnd)
|
|
+ goto errxit;
|
|
/* XXX Hmm, why the copy? */
|
|
memcpy(&stei, dataStart + off, nb);
|
|
rdl = -ntohl(stei[2]); /* negative offset */
|
