sinjuginas/rpm-build
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sanity check region offset range on headerLoad()

Browse Source 
- Fixes the  first case crash of RhBug:741606 / CVE-2011-3378 where
  immutable region offset is way out of bounds.
(cherry picked from commit a48f0e20cbe2ababc88b2fc52fb7a281d6fc1656)
This commit is contained in:
Panu Matilainen 2011-09-29 13:22:32 +03:00 committed by Dmitry V. Levin
parent 61ff739898
commit 683c0b8455
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
rpmdb/header.c
View File

@ -63,6 +63,11 @@ static size_t headerMaxbytes = (32*1024*1024);
*/
#define hdrchkData(_nbytes) ((_nbytes) & 0xff000000)
/**
* Sanity check on range of data offset.
*/
#define hdrchkRange(_dl, _off) ((_off) < 0 || (_off) > (_dl))
/** \ingroup header
* Alignment needs (and sizeof scalars types) for internal rpm data types.
*/
@ -959,7 +964,7 @@ Header headerLoad(/*@kept@*/ void * uh)
{ int off = ntohl(pe->offset);
if (hdrchkData(off))
if (hdrchkData(off) || hdrchkRange(dl, off))
goto errxit;
if (off) {
int_32 * stei = memcpy(alloca(nb), dataStart + off, nb);