148 lines
4.9 KiB
Diff
148 lines
4.9 KiB
Diff
|
--- lib/header.c.orig 2012-04-17 16:16:29.000000000 +0000
|
||
|
+++ lib/header.c 2012-04-17 16:53:32.000000000 +0000
|
||
|
@@ -197,7 +197,7 @@ int headerVerifyInfo(int il, int dl, con
|
||
|
return i;
|
||
|
if (hdrchkAlign(info->type, info->offset))
|
||
|
return i;
|
||
|
- if (!negate && hdrchkRange(dl, info->offset))
|
||
|
+ if (hdrchkRange(dl, info->offset))
|
||
|
return i;
|
||
|
if (hdrchkData(info->count))
|
||
|
return i;
|
||
|
@@ -837,10 +837,13 @@ Header headerLoad(void * uh)
|
||
|
|
||
|
entry->info.type = htonl(pe->type);
|
||
|
entry->info.count = htonl(pe->count);
|
||
|
+ entry->info.tag = htonl(pe->tag);
|
||
|
|
||
|
- if (hdrchkType(entry->info.type))
|
||
|
+ if (!ENTRY_IS_REGION(entry))
|
||
|
goto errxit;
|
||
|
- if (hdrchkTags(entry->info.count))
|
||
|
+ if (entry->info.type != REGION_TAG_TYPE)
|
||
|
+ goto errxit;
|
||
|
+ if (entry->info.count != REGION_TAG_COUNT)
|
||
|
goto errxit;
|
||
|
|
||
|
{ int off = ntohl(pe->offset);
|
||
|
@@ -856,7 +859,6 @@ Header headerLoad(void * uh)
|
||
|
ril = rdl/sizeof(*pe);
|
||
|
if (hdrchkTags(ril) || hdrchkData(rdl))
|
||
|
goto errxit;
|
||
|
- entry->info.tag = htonl(pe->tag);
|
||
|
} else {
|
||
|
ril = il;
|
||
|
rdl = (ril * sizeof(struct entryInfo_s));
|
||
|
@@ -876,13 +878,12 @@ Header headerLoad(void * uh)
|
||
|
indexEntry newEntry = entry + ril;
|
||
|
int ne = (h->indexUsed - ril);
|
||
|
int rid = entry->info.offset+1;
|
||
|
- int rc;
|
||
|
|
||
|
/* Load dribble entries from region. */
|
||
|
- rc = regionSwab(newEntry, ne, 0, pe+ril, dataStart, dataEnd, rid);
|
||
|
- if (rc < 0)
|
||
|
+ rdlen = regionSwab(newEntry, ne, rdlen, pe+ril,
|
||
|
+ dataStart, dataEnd, rid);
|
||
|
+ if (rdlen < 0)
|
||
|
goto errxit;
|
||
|
- rdlen += rc;
|
||
|
|
||
|
{ indexEntry firstEntry = newEntry;
|
||
|
int save = h->indexUsed;
|
||
|
@@ -905,7 +906,7 @@ Header headerLoad(void * uh)
|
||
|
}
|
||
|
}
|
||
|
rdlen += REGION_TAG_COUNT;
|
||
|
- /* XXX should be equality test, but dribbles are sometimes a bit off? */
|
||
|
+ /* should be equality test, but can be off if entries are not perfectly aligned */
|
||
|
if (rdlen > dl)
|
||
|
goto errxit;
|
||
|
}
|
||
|
--- lib/package.c.orig 2012-04-17 16:26:00.000000000 +0000
|
||
|
+++ lib/package.c 2012-04-17 16:26:05.000000000 +0000
|
||
|
@@ -241,16 +241,23 @@ static rpmRC headerVerify(rpmKeyring key
|
||
|
}
|
||
|
|
||
|
/* Is there an immutable header region tag? */
|
||
|
- if (!(entry.info.tag == RPMTAG_HEADERIMMUTABLE
|
||
|
- && entry.info.type == RPM_BIN_TYPE
|
||
|
- && entry.info.count == REGION_TAG_COUNT))
|
||
|
- {
|
||
|
+ if (!(entry.info.tag == RPMTAG_HEADERIMMUTABLE)) {
|
||
|
rc = RPMRC_NOTFOUND;
|
||
|
goto exit;
|
||
|
}
|
||
|
|
||
|
- /* Is the offset within the data area? */
|
||
|
- if (entry.info.offset >= dl) {
|
||
|
+ /* Is the region tag sane? */
|
||
|
+ if (!(entry.info.type == REGION_TAG_TYPE &&
|
||
|
+ entry.info.count == REGION_TAG_COUNT)) {
|
||
|
+ rasprintf(&buf,
|
||
|
+ _("region tag: BAD, tag %d type %d offset %d count %d\n"),
|
||
|
+ entry.info.tag, entry.info.type,
|
||
|
+ entry.info.offset, entry.info.count);
|
||
|
+ goto exit;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Is the trailer within the data area? */
|
||
|
+ if (entry.info.offset + REGION_TAG_COUNT > dl) {
|
||
|
rasprintf(&buf,
|
||
|
_("region offset: BAD, tag %d type %d offset %d count %d\n"),
|
||
|
entry.info.tag, entry.info.type,
|
||
|
@@ -263,10 +270,10 @@ static rpmRC headerVerify(rpmKeyring key
|
||
|
(void) memcpy(&info, regionEnd, REGION_TAG_COUNT);
|
||
|
regionEnd += REGION_TAG_COUNT;
|
||
|
|
||
|
- xx = headerVerifyInfo(1, dl, &info, &entry.info, 1);
|
||
|
+ xx = headerVerifyInfo(1, il * sizeof(*pe), &info, &entry.info, 1);
|
||
|
if (xx != -1 ||
|
||
|
!(entry.info.tag == RPMTAG_HEADERIMMUTABLE
|
||
|
- && entry.info.type == RPM_BIN_TYPE
|
||
|
+ && entry.info.type == REGION_TAG_TYPE
|
||
|
&& entry.info.count == REGION_TAG_COUNT))
|
||
|
{
|
||
|
rasprintf(&buf,
|
||
|
--- lib/signature.c.orig 2012-04-17 16:25:52.000000000 +0000
|
||
|
+++ lib/signature.c 2012-04-17 16:26:05.000000000 +0000
|
||
|
@@ -133,12 +133,19 @@ rpmRC rpmReadSignature(FD_t fd, Header *
|
||
|
}
|
||
|
|
||
|
/* Is there an immutable header region tag? */
|
||
|
- if (entry.info.tag == RPMTAG_HEADERSIGNATURES
|
||
|
- && entry.info.type == RPM_BIN_TYPE
|
||
|
- && entry.info.count == REGION_TAG_COUNT)
|
||
|
- {
|
||
|
-
|
||
|
- if (entry.info.offset >= dl) {
|
||
|
+ if (entry.info.tag == RPMTAG_HEADERSIGNATURES) {
|
||
|
+ /* Is the region tag sane? */
|
||
|
+ if (!(entry.info.type == REGION_TAG_TYPE &&
|
||
|
+ entry.info.count == REGION_TAG_COUNT)) {
|
||
|
+ rasprintf(&buf,
|
||
|
+ _("region tag: BAD, tag %d type %d offset %d count %d\n"),
|
||
|
+ entry.info.tag, entry.info.type,
|
||
|
+ entry.info.offset, entry.info.count);
|
||
|
+ goto exit;
|
||
|
+ }
|
||
|
+
|
||
|
+ /* Is the trailer within the data area? */
|
||
|
+ if (entry.info.offset + REGION_TAG_COUNT > dl) {
|
||
|
rasprintf(&buf,
|
||
|
_("region offset: BAD, tag %d type %d offset %d count %d\n"),
|
||
|
entry.info.tag, entry.info.type,
|
||
|
@@ -157,10 +164,10 @@ rpmRC rpmReadSignature(FD_t fd, Header *
|
||
|
}
|
||
|
dataEnd += REGION_TAG_COUNT;
|
||
|
|
||
|
- xx = headerVerifyInfo(1, dl, &info, &entry.info, 1);
|
||
|
+ xx = headerVerifyInfo(1, il * sizeof(*pe), &info, &entry.info, 1);
|
||
|
if (xx != -1 ||
|
||
|
!((entry.info.tag == RPMTAG_HEADERSIGNATURES || entry.info.tag == RPMTAG_HEADERIMAGE)
|
||
|
- && entry.info.type == RPM_BIN_TYPE
|
||
|
+ && entry.info.type == REGION_TAG_TYPE
|
||
|
&& entry.info.count == REGION_TAG_COUNT))
|
||
|
{
|
||
|
rasprintf(&buf,
|