commit c518a4320509464b55b8781221d0b781af1577ee
Author: DMorgan <Dmorgan>
Date: Sat Oct 1 10:37:59 2011 +0200
- Region offsets are supposed to be negative when when an entry
is involved, otherwise zero. Fixes some cases of crash'n'burn on
malformed headers having bogus offsets (CVE-2011-3378)
diff --git a/lib/header.c b/lib/header.c
index 36b8ba2..ba4ad21 100644
--- a/lib/header.c
+++ b/lib/header.c
@@ -360,6 +360,9 @@ static int regionSwab(indexEntry entry, int il, int dl,
const unsigned char * dataEnd,
int regionid)
{
+ if ((entry != NULL && regionid >= 0) || (entry == NULL && regionid != 0))
+ return -1;
+
for (; il > 0; il--, pe++) {
struct indexEntry_s ie;
rpmTagType type;
distrib
>
Mageia
>
1
>
i586
>
media
>
core-updates-src
>
by-pkgid
>
2d27fe3dff73e21c1aac97aebe0dff40
>
files
>
27
