From a48f0e20cbe2ababc88b2fc52fb7a281d6fc1656 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Thu, 29 Sep 2011 13:22:32 +0300
Subject: [PATCH] Sanity check region offset range on headerLoad()

- Fixes the  first case crash of RhBug:741606 / CVE-2011-3378 where
  immutable region offset is way out of bounds.
---
 lib/header.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/header.c b/lib/header.c
index 284be09..c771967 100644
--- a/lib/header.c
+++ b/lib/header.c
@@ -836,7 +836,7 @@ Header headerLoad(void * uh)
 
 	{   int off = ntohl(pe->offset);
 
-	    if (hdrchkData(off))
+	    if (hdrchkData(off) || hdrchkRange(dl, off))
 		goto errxit;
 	    if (off) {
 		size_t nb = REGION_TAG_COUNT;
-- 
2.7.4