Sanity check region offset in regionSwab()

- Region offsets are supposed to be negative when when an entry
  is involved, otherwise zero. Fixes some cases of crash'n'burn on
  malformed headers having bogus offsets (CVE-2011-3378)

diff --git a/lib/header.c b/lib/header.c
index 5a54e75..284be09 100644 (file)
--- a/lib/header.c
+++ b/lib/header.c
@@ -381,6 +381,9 @@ static int regionSwab(indexEntry entry, int il, int dl,
                const unsigned char * dataEnd,
                int regionid)
 {
+    if ((entry != NULL && regionid >= 0) || (entry == NULL && regionid != 0))
+       return -1;
+
     for (; il > 0; il--, pe++) {
        struct indexEntry_s ie;
        rpm_tagtype_t type;