commit 8f4b3c3cab8922a2022b9e47c71f1ecf906077ef

Author: Demi Marie Obenour <athena@invisiblethingslab.com>

Date:   Mon Feb 8 16:05:01 2021 -0500

    hdrblobInit() needs bounds checks too

    Users can pass untrusted data to hdrblobInit() and it must be robust

    against this.

diff --git a/lib/header.c b/lib/header.c

index ea39e679f..ebba9c2b0 100644

--- a/lib/header.c

+++ b/lib/header.c

@@ -11,6 +11,7 @@

 #include "system.h"

 #include <netdb.h>

 #include <errno.h>

+#include <inttypes.h>

 #include <rpm/rpmtypes.h>

 #include <rpm/rpmstring.h>

 #include "lib/header_internal.h"

@@ -1912,6 +1913,25 @@ hdrblob hdrblobFree(hdrblob blob)

     return NULL;

 }

+static rpmRC hdrblobVerifyLengths(rpmTagVal regionTag, uint32_t il, uint32_t dl,

+				  char **emsg) {

+    uint32_t il_max = HEADER_TAGS_MAX;

+    uint32_t dl_max = HEADER_DATA_MAX;

+    if (regionTag == RPMTAG_HEADERSIGNATURES) {

+	il_max = 32;

+	dl_max = 64 * 1024 * 1024;

+    }

+    if (hdrchkRange(il_max, il)) {

+	rasprintf(emsg, _("hdr tags: BAD, no. of tags(%" PRIu32 ") out of range"), il);

+	return RPMRC_FAIL;

+    }

+    if (hdrchkRange(dl_max, dl)) {

+	rasprintf(emsg, _("hdr data: BAD, no. of bytes(%" PRIu32 ") out of range"), dl);

+	return RPMRC_FAIL;

+    }

+    return RPMRC_OK;

+}

+

 rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrblob blob, char **emsg)

 {

     int32_t block[4];

@@ -1924,13 +1944,6 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl

     size_t nb;

     rpmRC rc = RPMRC_FAIL;		/* assume failure */

     int xx;

-    int32_t il_max = HEADER_TAGS_MAX;

-    int32_t dl_max = HEADER_DATA_MAX;

-

-    if (regionTag == RPMTAG_HEADERSIGNATURES) {

-	il_max = 32;

-	dl_max = 64 * 1024 * 1024;

-    }

     memset(block, 0, sizeof(block));

     if ((xx = Freadall(fd, bs, blen)) != blen) {

@@ -1943,15 +1956,9 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl

 	goto exit;

     }

     il = ntohl(block[2]);

-    if (hdrchkRange(il_max, il)) {

-	rasprintf(emsg, _("hdr tags: BAD, no. of tags(%d) out of range"), il);

-	goto exit;

-    }

     dl = ntohl(block[3]);

-    if (hdrchkRange(dl_max, dl)) {

-	rasprintf(emsg, _("hdr data: BAD, no. of bytes(%d) out of range"), dl);

+    if (hdrblobVerifyLengths(regionTag, il, dl, emsg))

 	goto exit;

-    }

     nb = (il * sizeof(struct entryInfo_s)) + dl;

     uc = sizeof(il) + sizeof(dl) + nb;

@@ -1995,11 +2002,18 @@ rpmRC hdrblobInit(const void *uh, size_t uc,

 		struct hdrblob_s *blob, char **emsg)

 {

     rpmRC rc = RPMRC_FAIL;

-

     memset(blob, 0, sizeof(*blob));

+    if (uc && uc < 8) {

+	rasprintf(emsg, _("hdr length: BAD"));

+	goto exit;

+    }

+

     blob->ei = (int32_t *) uh; /* discards const */

-    blob->il = ntohl(blob->ei[0]);

-    blob->dl = ntohl(blob->ei[1]);

+    blob->il = ntohl((uint32_t)(blob->ei[0]));

+    blob->dl = ntohl((uint32_t)(blob->ei[1]));

+    if (hdrblobVerifyLengths(regionTag, blob->il, blob->dl, emsg) != RPMRC_OK)

+	goto exit;

+

     blob->pe = (entryInfo) &(blob->ei[2]);

     blob->pvlen = sizeof(blob->il) + sizeof(blob->dl) +

 		  (blob->il * sizeof(*blob->pe)) + blob->dl;