rpm-headerChecks.patch

   1 --- rpm-5.4.17/rpmdb/header.c.orig      2017-02-25 09:37:52.627550403 +0100
   2 +++ rpm-5.4.17/rpmdb/header.c   2017-03-02 21:12:16.348808677 +0100
   3 @@ -998,14 +998,15 @@
   4             if (off < 0)
   5                 goto errxit;
   6             if (off) {
   7 +                rpmuint32_t * stei;
   8                 size_t nb = REGION_TAG_COUNT;
   9 -               /* XXX copy to fix alignment problems */
  10 -                rpmuint32_t * stei = (rpmuint32_t *)
  11 -                          memcpy(alloca(nb), dataStart + off, nb);
  12                 if ((off + nb) > dl)
  13                     goto errxit;
  14 +               /* XXX copy to fix alignment problems */
  15 +                stei = (rpmuint32_t *)
  16 +                          memcpy(alloca(nb), dataStart + off, nb);
  17                 rdl = (rpmuint32_t)-ntohl(stei[2]);     /* negative offset */
  18 -               if (rdl < REGION_TAG_COUNT || rdl > (rpmuint32_t)(off+nb))
  19 +               if (rdl < REGION_TAG_COUNT || rdl > (rpmuint32_t)(il * REGION_TAG_COUNT))
  20                     goto errxit;
  21                 ril = (rpmuint32_t)(rdl/sizeof(*pe));
  22             } else {