Sanity check region length on header load

- Region size can't obviously be larger than the containing header,
  sanity check to avoid crashes from malformed packages.
- We should really test for length equality here, but with dribbles
  the size is sometimes off by three, whatever the reason (bug likely),
  leaving that investigation for some sunnier day...

diff --git a/lib/header.c b/lib/header.c
index c771967..b01d1e4 100644 (file)
--- a/lib/header.c
+++ b/lib/header.c
@@ -895,6 +895,11 @@ Header headerLoad(void * uh)
            h->indexUsed += ne;
          }
        }
+
+       rdlen += REGION_TAG_COUNT;
+       /* XXX should be equality test, but dribbles are sometimes a bit off? */
+       if (rdlen > dl || (rdlen < dl && ril == h->indexUsed))
+           goto errxit;
     }
 
     h->flags &= ~HEADERFLAG_SORTED;