--- lib/header.c.orig	2012-04-17 16:16:29.000000000 +0000
+++ lib/header.c	2012-04-17 16:53:32.000000000 +0000
@@ -197,7 +197,7 @@ int headerVerifyInfo(int il, int dl, con
 	    return i;
 	if (hdrchkAlign(info->type, info->offset))
 	    return i;
-	if (!negate && hdrchkRange(dl, info->offset))
+	if (hdrchkRange(dl, info->offset))
 	    return i;
 	if (hdrchkData(info->count))
 	    return i;
@@ -837,10 +837,13 @@ Header headerLoad(void * uh)
 
 	entry->info.type = htonl(pe->type);
 	entry->info.count = htonl(pe->count);
+	entry->info.tag = htonl(pe->tag);
 
-	if (hdrchkType(entry->info.type))
+	if (!ENTRY_IS_REGION(entry))
 	    goto errxit;
-	if (hdrchkTags(entry->info.count))
+	if (entry->info.type != REGION_TAG_TYPE)
+	    goto errxit;
+	if (entry->info.count != REGION_TAG_COUNT)
 	    goto errxit;
 
 	{   int off = ntohl(pe->offset);
@@ -856,7 +859,6 @@ Header headerLoad(void * uh)
 		ril = rdl/sizeof(*pe);
 		if (hdrchkTags(ril) || hdrchkData(rdl))
 		    goto errxit;
-		entry->info.tag = htonl(pe->tag);
 	    } else {
 		ril = il;
 		rdl = (ril * sizeof(struct entryInfo_s));
@@ -876,13 +878,12 @@ Header headerLoad(void * uh)
 	    indexEntry newEntry = entry + ril;
 	    int ne = (h->indexUsed - ril);
 	    int rid = entry->info.offset+1;
-	    int rc;
 
 	    /* Load dribble entries from region. */
-	    rc = regionSwab(newEntry, ne, 0, pe+ril, dataStart, dataEnd, rid);
-	    if (rc < 0)
+	    rdlen = regionSwab(newEntry, ne, rdlen, pe+ril,
+				dataStart, dataEnd, rid);
+	    if (rdlen < 0)
 		goto errxit;
-	    rdlen += rc;
 
 	  { indexEntry firstEntry = newEntry;
 	    int save = h->indexUsed;
@@ -905,7 +906,7 @@ Header headerLoad(void * uh)
 	  }
 	}
 	rdlen += REGION_TAG_COUNT;
-	/* XXX should be equality test, but dribbles are sometimes a bit off? */
+	/* should be equality test, but can be off if entries are not perfectly aligned */
 	if (rdlen > dl)
 	    goto errxit;
     }
--- lib/package.c.orig	2012-04-17 16:26:00.000000000 +0000
+++ lib/package.c	2012-04-17 16:26:05.000000000 +0000
@@ -241,16 +241,23 @@ static rpmRC headerVerify(rpmKeyring key
     }
 
     /* Is there an immutable header region tag? */
-    if (!(entry.info.tag == RPMTAG_HEADERIMMUTABLE
-       && entry.info.type == RPM_BIN_TYPE
-       && entry.info.count == REGION_TAG_COUNT))
-    {
+    if (!(entry.info.tag == RPMTAG_HEADERIMMUTABLE)) {
 	rc = RPMRC_NOTFOUND;
 	goto exit;
     }
 
-    /* Is the offset within the data area? */
-    if (entry.info.offset >= dl) {
+    /* Is the region tag sane? */
+    if (!(entry.info.type == REGION_TAG_TYPE &&
+	  entry.info.count == REGION_TAG_COUNT)) {
+	rasprintf(&buf,
+		_("region tag: BAD, tag %d type %d offset %d count %d\n"),
+		entry.info.tag, entry.info.type,
+		entry.info.offset, entry.info.count);
+	goto exit;
+    }
+
+    /* Is the trailer within the data area? */
+    if (entry.info.offset + REGION_TAG_COUNT > dl) {
 	rasprintf(&buf, 
 		_("region offset: BAD, tag %d type %d offset %d count %d\n"),
 		entry.info.tag, entry.info.type,
@@ -263,10 +270,10 @@ static rpmRC headerVerify(rpmKeyring key
     (void) memcpy(&info, regionEnd, REGION_TAG_COUNT);
     regionEnd += REGION_TAG_COUNT;
 
-    xx = headerVerifyInfo(1, dl, &info, &entry.info, 1);
+    xx = headerVerifyInfo(1, il * sizeof(*pe), &info, &entry.info, 1);
     if (xx != -1 ||
 	!(entry.info.tag == RPMTAG_HEADERIMMUTABLE
-       && entry.info.type == RPM_BIN_TYPE
+       && entry.info.type == REGION_TAG_TYPE
        && entry.info.count == REGION_TAG_COUNT))
     {
 	rasprintf(&buf, 
--- lib/signature.c.orig	2012-04-17 16:25:52.000000000 +0000
+++ lib/signature.c	2012-04-17 16:26:05.000000000 +0000
@@ -133,12 +133,19 @@ rpmRC rpmReadSignature(FD_t fd, Header *
     }
 
     /* Is there an immutable header region tag? */
-    if (entry.info.tag == RPMTAG_HEADERSIGNATURES
-       && entry.info.type == RPM_BIN_TYPE
-       && entry.info.count == REGION_TAG_COUNT)
-    {
-
-	if (entry.info.offset >= dl) {
+    if (entry.info.tag == RPMTAG_HEADERSIGNATURES) {
+	/* Is the region tag sane? */
+	if (!(entry.info.type == REGION_TAG_TYPE &&
+	      entry.info.count == REGION_TAG_COUNT)) {
+	    rasprintf(&buf,
+		_("region tag: BAD, tag %d type %d offset %d count %d\n"),
+		entry.info.tag, entry.info.type,
+		entry.info.offset, entry.info.count);
+	    goto exit;
+	}
+	
+	/* Is the trailer within the data area? */
+	if (entry.info.offset + REGION_TAG_COUNT > dl) {
 	    rasprintf(&buf, 
 		_("region offset: BAD, tag %d type %d offset %d count %d\n"),
 		entry.info.tag, entry.info.type,
@@ -157,10 +164,10 @@ rpmRC rpmReadSignature(FD_t fd, Header *
 	}
 	dataEnd += REGION_TAG_COUNT;
 
-	xx = headerVerifyInfo(1, dl, &info, &entry.info, 1);
+	xx = headerVerifyInfo(1, il * sizeof(*pe), &info, &entry.info, 1);
 	if (xx != -1 ||
 	    !((entry.info.tag == RPMTAG_HEADERSIGNATURES || entry.info.tag == RPMTAG_HEADERIMAGE)
-	   && entry.info.type == RPM_BIN_TYPE
+	   && entry.info.type == REGION_TAG_TYPE
 	   && entry.info.count == REGION_TAG_COUNT))
 	{
 	    rasprintf(&buf,