Sophie: rpm-1:4.8.1-10.5.mga1 src

rpm-4.8.1-10.5.mga1.src.rpm

@@ -, +, @@ 
    Differentiate between non-existent and invalid region tag
    
    - Non-existent region tag is very different from existing but invalid
      one - the former is not an error but the latter one is, and needs
      to be handled as such. Previously an invalid region tag would cause
      us to treat it like rpm v3 package on entry, skipping all the region
      sanity checks and then crashing and burning later on when the immutable
      tag is fetched.
    - Additionally verify the entire trailer, not just its offset, is
      within data area
    - Refer to REGION_TAG_TYPE instead of RPM_BIN_TYPE wrt the expected
      type of region tag for consistency and clarity, they are the same
      exact thing though.
--- a/lib/package.c	
+++ a/lib/package.c	
@@ -241,16 +241,23 @@ static rpmRC headerVerify(rpmKeyring keyring, rpmVSFlags vsflags,
     }
 
     /* Is there an immutable header region tag? */
-    if (!(entry.info.tag == RPMTAG_HEADERIMMUTABLE
-       && entry.info.type == RPM_BIN_TYPE
-       && entry.info.count == REGION_TAG_COUNT))
-    {
+    if (!(entry.info.tag == RPMTAG_HEADERIMMUTABLE)) {
 	rc = RPMRC_NOTFOUND;
 	goto exit;
     }
 
-    /* Is the offset within the data area? */
-    if (entry.info.offset >= dl) {
+    /* Is the region tag sane? */
+    if (!(entry.info.type == REGION_TAG_TYPE &&
+	  entry.info.count == REGION_TAG_COUNT)) {
+	rasprintf(&buf,
+		_("region tag: BAD, tag %d type %d offset %d count %d\n"),
+		entry.info.tag, entry.info.type,
+		entry.info.offset, entry.info.count);
+	goto exit;
+    }
+
+    /* Is the trailer within the data area? */
+    if (entry.info.offset + REGION_TAG_COUNT > dl) {
 	rasprintf(&buf, 
 		_("region offset: BAD, tag %d type %d offset %d count %d\n"),
 		entry.info.tag, entry.info.type,
@@ -266,7 +273,7 @@ static rpmRC headerVerify(rpmKeyring keyring, rpmVSFlags vsflags,
     xx = headerVerifyInfo(1, dl, &info, &entry.info, 1);
     if (xx != -1 ||
 	!(entry.info.tag == RPMTAG_HEADERIMMUTABLE
-       && entry.info.type == RPM_BIN_TYPE
+       && entry.info.type == REGION_TAG_TYPE
        && entry.info.count == REGION_TAG_COUNT))
     {
 	rasprintf(&buf, 
--- a/lib/signature.c	
+++ a/lib/signature.c	
@@ -171,12 +171,19 @@ rpmRC rpmReadSignature(FD_t fd, Header * sighp, sigType sig_type, char ** msg)
     }
 
     /* Is there an immutable header region tag? */
-    if (entry.info.tag == RPMTAG_HEADERSIGNATURES
-       && entry.info.type == RPM_BIN_TYPE
-       && entry.info.count == REGION_TAG_COUNT)
-    {
-
-	if (entry.info.offset >= dl) {
+    if (entry.info.tag == RPMTAG_HEADERSIGNATURES) {
+	/* Is the region tag sane? */
+	if (!(entry.info.type == REGION_TAG_TYPE &&
+	      entry.info.count == REGION_TAG_COUNT)) {
+	    rasprintf(&buf,
+		_("region tag: BAD, tag %d type %d offset %d count %d\n"),
+		entry.info.tag, entry.info.type,
+		entry.info.offset, entry.info.count);
+	    goto exit;
+	}
+	
+	/* Is the trailer within the data area? */
+	if (entry.info.offset + REGION_TAG_COUNT > dl) {
 	    rasprintf(&buf, 
 		_("region offset: BAD, tag %d type %d offset %d count %d\n"),
 		entry.info.tag, entry.info.type,
@@ -198,7 +205,7 @@ rpmRC rpmReadSignature(FD_t fd, Header * sighp, sigType sig_type, char ** msg)
 	xx = headerVerifyInfo(1, dl, &info, &entry.info, 1);
 	if (xx != -1 ||
 	    !((entry.info.tag == RPMTAG_HEADERSIGNATURES || entry.info.tag == RPMTAG_HEADERIMAGE)
-	   && entry.info.type == RPM_BIN_TYPE
+	   && entry.info.type == REGION_TAG_TYPE
 	   && entry.info.count == REGION_TAG_COUNT))
 	{
 	    rasprintf(&buf,