From deed78f1bff43ff9b5330dc6ab9ba7a754408e8b Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demi@invisiblethingslab.com>
Date: Tue, 23 Mar 2021 12:03:30 -0400
Subject: [PATCH 1/2] Fix a regression from commit
 22106f5d33628515d22c09c1c15dfd2217535116
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Commit 22106f5d33628515d22c09c1c15dfd2217535116 assumed that
dataLength() would always return a nonzero number.  Unfortunately, that
isn’t the case: dataLength() returns zero for RPM_NULL_TYPE.  This meant
that hdrblobVerifyInfo() failed to reject such entries, which are
invalid.

This fixes the problem in three different ways:

1. It checks that tag data entries have length greater than zero.
2. It modifies hdrchkType() to reject RPM_NULL_TYPE.
3. It modifies dataLength() to consider zero length as an error.
---
 lib/header.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/header.c b/lib/header.c
index 34d291e914..88a013c66e 100644
--- a/lib/header.c
+++ b/lib/header.c
@@ -138,7 +138,7 @@ static const size_t headerMaxbytes = (256*1024*1024);
 /**
  * Sanity check on type values.
  */
-#define hdrchkType(_type) ((_type) < RPM_MIN_TYPE || (_type) > RPM_MAX_TYPE)
+#define hdrchkType(_type) ((_type) <= RPM_MIN_TYPE || (_type) > RPM_MAX_TYPE)
 
 /**
  * Sanity check on data size and/or offset and/or count.
@@ -298,7 +298,7 @@ static rpmRC hdrblobVerifyInfo(hdrblob blob, char **emsg)
 	/* Verify the data actually fits */
 	len = dataLength(info.type, ds + info.offset,
 			 info.count, 1, ds + blob->dl);
-	if (hdrchkRange(blob->dl - info.offset, len))
+	if (len <= 0 || len > blob->dl - info.offset)
 	    goto err;
 	end = info.offset + len;
 	if (blob->regionTag) {
@@ -475,7 +475,7 @@ static int dataLength(rpm_tagtype_t type, rpm_constdata_t p, rpm_count_t count,
 	if (typeSizes[type] == -1)
 	    return -1;
 	length = typeSizes[(type & 0xf)] * count;
-	if (length < 0 || (se && (s + length) > se))
+	if (length <= 0 || (se && (s + length) > se))
 	    return -1;
 	break;
     }

From a45799a68e8e281d08266fe9e7c1c87e2e40acc4 Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demi@invisiblethingslab.com>
Date: Tue, 23 Mar 2021 12:16:57 -0400
Subject: [PATCH 2/2] Fix some out-of-bounds pointer arithmetic

It is undefined behavior in C.
---
 lib/header.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/header.c b/lib/header.c
index 88a013c66e..fbde066025 100644
--- a/lib/header.c
+++ b/lib/header.c
@@ -475,7 +475,7 @@ static int dataLength(rpm_tagtype_t type, rpm_constdata_t p, rpm_count_t count,
 	if (typeSizes[type] == -1)
 	    return -1;
 	length = typeSizes[(type & 0xf)] * count;
-	if (length <= 0 || (se && (s + length) > se))
+	if (length <= 0 || (se && length > se - s))
 	    return -1;
 	break;
     }