@@ -, +, @@
Validate negated offsets too in headerVerifyInfo()
- Undo the ancient broken fix for RhBug:71996 from commit
9e06e3b8ca76ae55eaf2c4e37ba9cac729789014: instead of disabling
the check, pass in the correct upper range which is entirely
different from everything else for the region trailer tag.
--- a/lib/header.c
+++ a/lib/header.c
@@ -171,7 +171,7 @@ int headerVerifyInfo(int il, int dl, const void * pev, void * iv, int negate)
return i;
if (hdrchkAlign(info->type, info->offset))
return i;
- if (!negate && hdrchkRange(dl, info->offset))
+ if (hdrchkRange(dl, info->offset))
return i;
if (hdrchkData(info->count))
return i;
--- a/lib/package.c
+++ a/lib/package.c
@@ -270,7 +270,7 @@ static rpmRC headerVerify(rpmKeyring keyring, rpmVSFlags vsflags,
(void) memcpy(&info, regionEnd, REGION_TAG_COUNT);
regionEnd += REGION_TAG_COUNT;
- xx = headerVerifyInfo(1, dl, &info, &entry.info, 1);
+ xx = headerVerifyInfo(1, il * sizeof(*pe), &info, &entry.info, 1);
if (xx != -1 ||
!(entry.info.tag == RPMTAG_HEADERIMMUTABLE
&& entry.info.type == REGION_TAG_TYPE
--- a/lib/signature.c
+++ a/lib/signature.c
@@ -202,7 +202,7 @@ rpmRC rpmReadSignature(FD_t fd, Header * sighp, sigType sig_type, char ** msg)
}
dataEnd += REGION_TAG_COUNT;
- xx = headerVerifyInfo(1, dl, &info, &entry.info, 1);
+ xx = headerVerifyInfo(1, il * sizeof(*pe), &info, &entry.info, 1);
if (xx != -1 ||
!((entry.info.tag == RPMTAG_HEADERSIGNATURES || entry.info.tag == RPMTAG_HEADERIMAGE)
&& entry.info.type == REGION_TAG_TYPE
distrib
>
Mageia
>
1
>
i586
>
media
>
core-updates-src
>
by-pkgid
>
2d27fe3dff73e21c1aac97aebe0dff40
>
files
>
33
