commit c518a4320509464b55b8781221d0b781af1577ee Author: DMorgan <Dmorgan> Date: Sat Oct 1 10:37:59 2011 +0200 - Region offsets are supposed to be negative when when an entry is involved, otherwise zero. Fixes some cases of crash'n'burn on malformed headers having bogus offsets (CVE-2011-3378) diff --git a/lib/header.c b/lib/header.c index 36b8ba2..ba4ad21 100644 --- a/lib/header.c +++ b/lib/header.c @@ -360,6 +360,9 @@ static int regionSwab(indexEntry entry, int il, int dl, const unsigned char * dataEnd, int regionid) { + if ((entry != NULL && regionid >= 0) || (entry == NULL && regionid != 0)) + return -1; + for (; il > 0; il--, pe++) { struct indexEntry_s ie; rpmTagType type;