[packages/rpm.git] / rpm-headerChecks.patch

--- rpm-5.4.17/rpmdb/header.c.orig	2017-02-25 09:37:52.627550403 +0100
+++ rpm-5.4.17/rpmdb/header.c	2017-03-02 21:12:16.348808677 +0100
@@ -998,14 +998,15 @@
 	    if (off < 0)
 		goto errxit;
 	    if (off) {
+                rpmuint32_t * stei;
 		size_t nb = REGION_TAG_COUNT;
-		/* XXX copy to fix alignment problems */
-                rpmuint32_t * stei = (rpmuint32_t *)
-                          memcpy(alloca(nb), dataStart + off, nb);
 		if ((off + nb) > dl)
 		    goto errxit;
+		/* XXX copy to fix alignment problems */
+                stei = (rpmuint32_t *)
+                          memcpy(alloca(nb), dataStart + off, nb);
 		rdl = (rpmuint32_t)-ntohl(stei[2]);	/* negative offset */
-		if (rdl < REGION_TAG_COUNT || rdl > (rpmuint32_t)(off+nb))
+		if (rdl < REGION_TAG_COUNT || rdl > (rpmuint32_t)(il * REGION_TAG_COUNT))
 		    goto errxit;
 		ril = (rpmuint32_t)(rdl/sizeof(*pe));
 	    } else {
Commit	Line	Data
28d5147b JB	1	--- rpm-5.4.17/rpmdb/header.c.orig 2017-02-25 09:37:52.627550403 +0100
	2	+++ rpm-5.4.17/rpmdb/header.c 2017-03-02 21:12:16.348808677 +0100
	3	@@ -998,14 +998,15 @@
	4	if (off < 0)
	5	goto errxit;
	6	if (off) {
	7	+ rpmuint32_t * stei;
	8	size_t nb = REGION_TAG_COUNT;
	9	- /* XXX copy to fix alignment problems */
	10	- rpmuint32_t * stei = (rpmuint32_t *)
	11	- memcpy(alloca(nb), dataStart + off, nb);
	12	if ((off + nb) > dl)
	13	goto errxit;
	14	+ /* XXX copy to fix alignment problems */
	15	+ stei = (rpmuint32_t *)
	16	+ memcpy(alloca(nb), dataStart + off, nb);
	17	rdl = (rpmuint32_t)-ntohl(stei[2]); /* negative offset */
	18	- if (rdl < REGION_TAG_COUNT \|\| rdl > (rpmuint32_t)(off+nb))
	19	+ if (rdl < REGION_TAG_COUNT \|\| rdl > (rpmuint32_t)(il * REGION_TAG_COUNT))
	20	goto errxit;
	21	ril = (rpmuint32_t)(rdl/sizeof(*pe));
	22	} else {