Check all header strings to resize buffer CVE-2006-5466 (#212833).

Patch backported from rpm5.org / JBJ.

diff --git a/lib/query.c b/lib/query.c
index 77ee885..2a6d4ff 100644 (file)
--- a/lib/query.c
+++ b/lib/query.c
@@ -150,12 +150,14 @@ int showQueryPackage(QVA_t qva, rpmts ts, Header h)
 {
     int scareMem = 0;
     rpmfi fi = NULL;
+    size_t tb = 2 * BUFSIZ;
+    size_t sb;
     char * t, * te;
     char * prefix = NULL;
     int rc = 0;                /* XXX FIXME: need real return code */
     int i;
 
-    te = t = xmalloc(BUFSIZ);
+    te = t = xmalloc(tb);
 /*@-boundswrite@*/
     *te = '\0';
 /*@=boundswrite@*/
@@ -164,12 +166,13 @@ int showQueryPackage(QVA_t qva, rpmts ts, Header h)
        const char * str = queryHeader(h, qva->qva_queryFormat);
        /*@-branchstate@*/
        if (str) {
-           size_t tb = (te - t);
-           size_t sb = strlen(str);
+           size_t tx = (te - t);
 
-           if (sb >= (BUFSIZ - tb)) {
-               t = xrealloc(t, BUFSIZ+sb);
-               te = t + tb;
+           sb = strlen(str);
+           if (sb) {
+               tb += sb;
+               t = xrealloc(t, tb);
+               te = t + tx;
            }
 /*@-boundswrite@*/
            /*@-usereleased@*/
@@ -246,6 +249,15 @@ int showQueryPackage(QVA_t qva, rpmts ts, Header h)
        if ((qva->qva_fflags & RPMFILE_GHOST) && (fflags & RPMFILE_GHOST))
            continue;
 
+       /* Insure space for header derived data */
+       sb = strlen(fn) + strlen(fmd5) + strlen(fuser) + strlen(fgroup) + strlen(flink);
+       if ((sb + BUFSIZ) > tb) {
+           size_t tx = (te - t);
+           tb += sb + BUFSIZ;
+           t = xrealloc(t, tb);
+           te = t + tx;
+       }
+
 /*@-boundswrite@*/
        if (!rpmIsVerbose() && prefix)
            te = stpcpy(te, prefix);