Sanity check header tag values. Like, doh.

There's a check for total number of tags, and their types and all but absolutely no check for the actual tag numbers. So we end up accepting negative tags which should not exist. The tag type should really be uint32_t but that's another can of worms, lets have something easily backportable for now. This is enough to fix issues #133, #135, #136, #138 and #139 on the level of detecting header structural inconsistency. Backported from commit 3a07ba3: headerVerifyInfo() is so different in git master we can't use the same exact thing here. Instead we do things in two steps, headerVerifyInfo() catches totally garbage values and duplicate regions are caught in regionSwab().
rpm-software-management · Feb 16, 2017 · bb45f33 · bb45f33
1 parent e23c982
commit bb45f33
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/lib/header.c b/lib/header.c
@@ -209,6 +209,8 @@ int headerVerifyInfo(int il, int dl, const void * pev, void * iv, int negate)
 	if (end > info->offset)
 	    return i;
 
+	if (info->tag < HEADER_IMAGE)
+	    return i;
 	if (hdrchkType(info->type))
 	    return i;
 	if (hdrchkAlign(info->type, info->offset))
@@ -430,6 +432,9 @@ static int regionSwab(indexEntry entry, int il, int dl,
 	ie.info.count = ntohl(pe->count);
 	ie.info.offset = ntohl(pe->offset);
 
+	if (regionid != 0 && (ie.info.tag >= RPMTAG_HEADERIMAGE &&
+			      ie.info.tag < RPMTAG_HEADERREGIONS))
+	    return -1;
 	if (hdrchkType(ie.info.type))
 	    return -1;
 	if (hdrchkData(ie.info.count))