pld rpm 5.4.17
Jeffrey Johnson
n3npq at me.com
Sat Mar 4 23:37:14 CET 2017
> On Mar 4, 2017, at 4:35 PM, Jeffrey Johnson <n3npq at me.com> wrote:
>
>
> I have a dim memory of a compatibility patch fix for immutable region trailers
> that was needed like a 10+ years ago that I deleted (because deemed unneeded).
>
Good: the hack that I recall was very very ancient (like more than 10y ago).
> I’ll resuscitate my memories in the next few days and dig into cvs history.
>
Appended is the cause of the regression, basically stronger tests on tag data validity
driven by AFL fuzzing (5.4.15 is ‘-‘, 5.4.18 is ‘+’, in the attached patch snippet).
The hdrchkData(off) was (and is at rpm.org) a very weak test of data validity.
Now that I understand the context … let me think about adding the rest of your patch,
its highly unlikely that nested immutable headers will ever be attempted.
hth. Thanks for patience, and thanks for persisting. Legacy compatibility is hard ...
73 de Jeff
================================================
@@ -1067,34 +995,32 @@ assert(h != NULL);
{ rpmint32_t off = (rpmint32_t) ntohl(pe->offset);
- if (hdrchkData(off))
+ if (off < 0)
goto errxit;
if (off) {
-/*@-sizeoftype@*/
+ rpmuint32_t * stei;
size_t nb = REGION_TAG_COUNT;
-/*@=sizeoftype@*/
- rpmuint32_t * stei = (rpmuint32_t *)
+ if ((off + nb) > dl)
+ goto errxit;
+ /* XXX copy to fix alignment problems */
+ stei = (rpmuint32_t *)
memcpy(alloca(nb), dataStart + off, nb);
rdl = (rpmuint32_t)-ntohl(stei[2]); /* negative offset */
-assert((rpmint32_t)rdl >= 0); /* XXX insurance */
- ril = (rpmuint32_t)(rdl/sizeof(*pe));
- if (hdrchkTags(ril) || hdrchkData(rdl))
+ if (rdl < REGION_TAG_COUNT || rdl > (rpmuint32_t)(off+nb))
goto errxit;
+ ril = (rpmuint32_t)(rdl/sizeof(*pe));
} else {
ril = il;
- /*@-sizeoftype@*/
rdl = (rpmuint32_t)(ril * sizeof(struct entryInfo_s));
- /*@=sizeoftype@*/
entry->info.tag = (rpmTag) HEADER_IMAGE;
}
}
entry->info.offset = (rpmint32_t) -rdl; /* negative offset */
More information about the pld-devel-en
mailing list