--- ./lib/header.c.orig	2011-10-19 15:08:41.000000000 +0000
+++ ./lib/header.c	2011-10-19 15:11:40.000000000 +0000
@@ -904,6 +904,10 @@ Header headerLoad(void * uh)
 	    h->indexUsed += ne;
 	  }
 	}
+	rdlen += REGION_TAG_COUNT;
+	/* XXX should be equality test, but dribbles are sometimes a bit off? */
+	if (rdlen > dl)
+	    goto errxit;
     }
 
     h->flags &= ~HEADERFLAG_SORTED;
--- ./rpmio/rpmpgp.c.orig	2011-10-19 15:12:17.000000000 +0000
+++ ./rpmio/rpmpgp.c	2011-10-19 15:13:46.000000000 +0000
@@ -402,6 +402,8 @@ static int pgpPrtSubType(const uint8_t *
 
     while (hlen > 0) {
 	i = pgpLen(p, &plen);
+	if (i + plen > hlen)
+	    break;
 	p += i;
 	hlen -= i;
 
@@ -484,7 +486,7 @@ static int pgpPrtSubType(const uint8_t *
 	p += plen;
 	hlen -= plen;
     }
-    return 0;
+    return (hlen != 0); /* non-zero hlen is an error */
 }
 
 static const char * const pgpSigRSA[] = {
@@ -608,7 +610,8 @@ fprintf(stderr, "   hash[%zu] -- %s\n",
 	    _digp->hashlen = sizeof(*v) + plen;
 	    _digp->hash = memcpy(xmalloc(_digp->hashlen), v, _digp->hashlen);
 	}
-	(void) pgpPrtSubType(p, plen, v->sigtype, _digp);
+	if (pgpPrtSubType(p, plen, v->sigtype, _digp))
+	    return 1;
 	p += plen;
 
 	plen = pgpGrab(p,2);
@@ -619,7 +622,8 @@ fprintf(stderr, "   hash[%zu] -- %s\n",
 
 if (_debug && _print)
 fprintf(stderr, " unhash[%zu] -- %s\n", plen, pgpHexStr(p, plen));
-	(void) pgpPrtSubType(p, plen, v->sigtype, _digp);
+	if (pgpPrtSubType(p, plen, v->sigtype, _digp))
+	    return 1;
 	p += plen;
 
 	plen = pgpGrab(p,2);