From 502d07cf24fda57fdf0998a220b1a1176dadd985 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Sat, 28 Jan 2012 17:53:11 +0200
Subject: [PATCH] Test for filename triplet sanity in rpmfiNew()

- Basename and dirindex counts must be equal, dirnames count must be
  larger than zero and no larger than number of basenames. Check
  that directory indexes are within range.
- There are mountains of further checks to be added here (and elsewhere)
  but we gotta start somewhere... and filename triplets are one of the more
  critical elements we got.
---
 lib/rpmfi.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/lib/rpmfi.c b/lib/rpmfi.c
index 3abd60e..8ea18d9 100644
--- a/lib/rpmfi.c
+++ b/lib/rpmfi.c
@@ -1144,6 +1144,17 @@ rpmfi rpmfiNew(const rpmts ts, Header h, rpmTagVal tagN, rpmfiFlags flags)
     _hgfi(h, RPMTAG_DIRNAMES, &td, defFlags, fi->dnl);
     fi->dc = rpmtdCount(&td);
     _hgfi(h, RPMTAG_DIRINDEXES, &td, scareFlags, fi->dil);
+
+    /* Is our filename triplet sane? */
+    if (fi->dc == 0 || fi->dc > fi->fc || rpmtdCount(&td) != fi->fc)
+	goto errxit;
+
+    for (rpm_count_t i = 0; i < fi->fc; i++) {
+	if (fi->dil[i] >= fi->fc)
+	    goto errxit;
+    }
+
+    /* XXX TODO: all these should be sanity checked, ugh... */
     if (!(flags & RPMFI_NOFILEMODES))
 	_hgfi(h, RPMTAG_FILEMODES, &td, scareFlags, fi->fmodes);
     if (!(flags & RPMFI_NOFILEFLAGS))
@@ -1238,6 +1249,10 @@ exit:
 
     /* FIX: rpmfi null annotations */
     return rpmfiLink(fi);
+
+errxit:
+    rpmfiFree(fi);
+    return NULL;
 }
 
 void rpmfiSetFReplacedSize(rpmfi fi, rpm_loff_t newsize)
-- 
2.7.4