From: Panu Matilainen <pmatilai@redhat.com>
Date: Thu, 29 Sep 2011 09:50:57 +0000 (+0300)
Subject: Sanity check region offset in regionSwab()
X-Git-Tag: tznext/4.11.0.1.tizen20130304~885
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=11a7e5d95a8ca8c7d4eaff179094afd8bb74fc3f;p=tools%2Flibrpm-tizen.git

Sanity check region offset in regionSwab()

- Region offsets are supposed to be negative when when an entry
  is involved, otherwise zero. Fixes some cases of crash'n'burn on
  malformed headers having bogus offsets (CVE-2011-3378)
---

diff --git a/lib/header.c b/lib/header.c
index 5a54e75..284be09 100644
--- a/lib/header.c
+++ b/lib/header.c
@@ -381,6 +381,9 @@ static int regionSwab(indexEntry entry, int il, int dl,
 		const unsigned char * dataEnd,
 		int regionid)
 {
+    if ((entry != NULL && regionid >= 0) || (entry == NULL && regionid != 0))
+	return -1;
+
     for (; il > 0; il--, pe++) {
 	struct indexEntry_s ie;
 	rpm_tagtype_t type;