- Offset being within the data area doesn't help if the actual data doesn't
fit. Since the trailer size is well known, we can just as easily
make the check accurate to prevent reading beyond end of data in case
the offset is subtly wrong.
- In headerLoad(), region offset of zero doesn't need sanity checking,
only validate if its something else and do so accurately there too.
{ int off = ntohl(pe->offset);
- if (hdrchkData(off) || hdrchkRange(dl, off))
- goto errxit;
if (off) {
size_t nb = REGION_TAG_COUNT;
int32_t stei[nb];
+ if (hdrchkRange(dl, (off + nb)))
+ goto errxit;
/* XXX Hmm, why the copy? */
memcpy(&stei, dataStart + off, nb);
rdl = -ntohl(stei[2]); /* negative offset */
goto exit;
}
- /* Is the offset within the data area? */
- if (entry.info.offset >= dl) {
+ /* Is the trailer within the data area? */
+ if (entry.info.offset + REGION_TAG_COUNT > dl) {
rasprintf(&buf,
_("region offset: BAD, tag %d type %d offset %d count %d\n"),
entry.info.tag, entry.info.type,
&& entry.info.count == REGION_TAG_COUNT)
{
- if (entry.info.offset >= dl) {
+ /* Is the trailer within the data area? */
+ if (entry.info.offset + REGION_TAG_COUNT > dl) {
rasprintf(&buf,
_("region offset: BAD, tag %d type %d offset %d count %d\n"),
entry.info.tag, entry.info.type,
projects / platform / upstream / rpm.git / commitdiff