Fix buffer overflow in verifyDSASignature()

- caused by assumption that sizeof(size_t) is always 4 (credited to jbj)

diff --git a/lib/signature.c b/lib/signature.c
index f1b5c00..61497b1 100644 (file)
--- a/lib/signature.c
+++ b/lib/signature.c
@@ -1266,12 +1266,13 @@ verifyDSASignature(rpmts ts, char ** msg,
 
        if (sigp->version == 4) {
            size_t nb = sigp->hashlen;
-           uint8_t trailer[6];
+           uint8_t *trailer = xmalloc(2+sizeof(nb));
            nb = htonl(nb);
            trailer[0] = sigp->version;
            trailer[1] = 0xff;
            memcpy(trailer+2, &nb, sizeof(nb));
            xx = rpmDigestUpdate(ctx, trailer, sizeof(trailer));
+           free(trailer);
        }
        xx = rpmDigestFinal(ctx, (void **)&dig->sha1, &dig->sha1len, 0);
        (void) rpmswExit(rpmtsOp(ts, RPMTS_OP_DIGEST), sigp->hashlen);